Redistribute Data to Managed Firewalls
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Determine Panorama Log Storage Requirements
-
- Setup Prerequisites for the Panorama Virtual Appliance
- Perform Initial Configuration of the Panorama Virtual Appliance
- Set Up The Panorama Virtual Appliance as a Log Collector
- Set Up the Panorama Virtual Appliance with Local Log Collector
- Set up a Panorama Virtual Appliance in Panorama Mode
- Set up a Panorama Virtual Appliance in Management Only Mode
-
- Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode
- Add a Virtual Disk to Panorama on an ESXi Server
- Add a Virtual Disk to Panorama on vCloud Air
- Add a Virtual Disk to Panorama on Alibaba Cloud
- Add a Virtual Disk to Panorama on AWS
- Add a Virtual Disk to Panorama on Azure
- Add a Virtual Disk to Panorama on Google Cloud Platform
- Add a Virtual Disk to Panorama on Hyper-V
- Add a Virtual Disk to Panorama on KVM
- Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)
- Mount the Panorama ESXi Server to an NFS Datastore
-
- Increase CPUs and Memory for Panorama on an ESXi Server
- Increase CPUs and Memory for Panorama on vCloud Air
- Increase CPUs and Memory for Panorama on Alibaba Cloud
- Increase CPUs and Memory for Panorama on AWS
- Increase CPUs and Memory for Panorama on Azure
- Increase CPUs and Memory for Panorama on Google Cloud Platform
- Increase CPUs and Memory for Panorama on Hyper-V
- Increase CPUs and Memory for Panorama on KVM
- Increase CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)
- Complete the Panorama Virtual Appliance Setup
-
- Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector
- Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector
- Convert Your Production Panorama to an ELA Panorama
-
- Register Panorama
- Activate a Panorama Support License
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected
- Activate/Retrieve a Firewall Management License on the M-Series Appliance
- Install the Panorama Device Certificate
-
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Install Updates for Panorama in an HA Configuration
- Install Updates for Panorama with an Internet Connection
- Install Updates for Panorama When Not Internet-Connected
- Install Updates Automatically for Panorama without an Internet Connection
- Migrate Panorama Logs to the New Log Format
-
- Migrate from a Panorama Virtual Appliance to an M-Series Appliance
- Migrate a Panorama Virtual Appliance to a Different Hypervisor
- Migrate from an M-Series Appliance to a Panorama Virtual Appliance
- Migrate from an M-100 Appliance to an M-500 Appliance
- Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance
-
- Configure an Admin Role Profile
- Configure an Access Domain
-
- Configure a Panorama Administrator Account
- Configure Local or External Authentication for Panorama Administrators
- Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
- Configure an Administrator with SSH Key-Based Authentication for the CLI
- Configure RADIUS Authentication for Panorama Administrators
- Configure TACACS+ Authentication for Panorama Administrators
- Configure SAML Authentication for Panorama Administrators
-
- Add a Firewall as a Managed Device
-
- Add a Device Group
- Create a Device Group Hierarchy
- Create Objects for Use in Shared or Device Group Policy
- Revert to Inherited Object Values
- Manage Unused Shared Objects
- Manage Precedence of Inherited Objects
- Move or Clone a Policy Rule or Object to a Different Device Group
- Push a Policy Rule to a Subset of Firewalls
- Manage the Rule Hierarchy
- Manage the Master Key from Panorama
- Redistribute Data to Managed Firewalls
-
- Add Standalone WildFire Appliances to Manage with Panorama
- Remove a WildFire Appliance from Panorama Management
-
-
- Configure a Cluster and Add Nodes on Panorama
- Configure General Cluster Settings on Panorama
- Remove a Cluster from Panorama Management
- Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama
- Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
- View WildFire Cluster Status Using Panorama
- Upgrade a Cluster Centrally on Panorama with an Internet Connection
- Upgrade a Cluster Centrally on Panorama without an Internet Connection
-
-
- Manage Licenses on Firewalls Using Panorama
-
- Supported Updates
- Schedule a Content Update Using Panorama
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
- Preview, Validate, or Commit Configuration Changes
- Enable Automated Commit Recovery
- Compare Changes in Panorama Configurations
- Manage Locks for Restricting Configuration Changes
- Add Custom Logos to Panorama
- Use the Panorama Task Manager
- Reboot or Shut Down Panorama
- Configure Panorama Password Profiles and Complexity
-
-
- Verify Panorama Port Usage
- Resolve Zero Log Storage for a Collector Group
- Replace a Failed Disk on an M-Series Appliance
- Replace the Virtual Disk on an ESXi Server
- Replace the Virtual Disk on vCloud Air
- Migrate Logs to a New M-Series Appliance in Log Collector Mode
- Migrate Logs to a New M-Series Appliance in Panorama Mode
- Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Log Collectors after Failure/RMA of Non-HA Panorama
- Regenerate Metadata for M-Series Appliance RAID Pairs
- View Log Query Jobs
- Troubleshoot Commit Failures
- Troubleshoot Registration or Serial Number Errors
- Troubleshoot Reporting Errors
- Troubleshoot Device Management License Errors
- Troubleshoot Automatically Reverted Firewall Configurations
- Complete Content Update When Panorama HA Peer is Down
- View Task Success or Failure Status
- Downgrade from Panorama 10.0
End-of-Life (EoL)
Redistribute Data to Managed Firewalls
To ensure all the firewalls that enforce policies
and generate reports have the required data and authentication timestamps for your policy
rules, you can leverage your Panorama infrastructure to redistribute
the mappings and timestamps.
- Configure the Panorama management server
to redistribute data.
- Add firewalls, virtual systems, or Windows
User-ID agents as redistribution agents to Panorama:
- Select PanoramaData Redistribution and Add each redistribution agent.
- Enter a Name to identify the redistribution agent.
- Confirm that the agent is Enabled.
- Enter the Host name or IP address of the MGT interface on firewall.
- Enter the Port number on which the firewall will listen for data redistribution queries (default is 5007).
- If the redistribution agent is a firewall or virtual system, enter the Collector Name and Collector Pre-Shared Key.
- Select the Data type that you want to
redistribute. You can select all data types, but you must select
at least one of the following data types:
- IP User Mappings
- IP Tags
- User Tags
- HIP
- Quarantine List
- Click OK to save the configuration.
- Enable the Panorama MGT interface to respond to data
redistribution queries from firewalls:If the Panorama management server has a high availability (HA) configuration, perform this step on each HA peer as a best practice so that redistribution continues if Panorama fails over.
- Select PanoramaSetupInterfaces and Management.
- Select User-ID in the Network Services section and click OK.
- Select CommitCommit to Panorama to activate your changes on Panorama.
- Add firewalls, virtual systems, or Windows
User-ID agents as redistribution agents to Panorama:
- Configure firewalls to receive data that Panorama redistributes.
- Select DeviceData RedistributionAgents then select the Template to which the firewalls are assigned.
- Add an agent and enter a Name.
- Select how you want to add the agent:
- Serial Number—Select the Serial
Number of the Panorama you want to use from the list:
- panorama—The active or solitary Panorama
- panorama2—(HA only) The passive Panorama
- Host and Port—Specify the following information:
- Select the Host name or IP address of the MGT interface on firewall.
- Select whether the host is an LDAP Proxy.
- Enter the Port number on which the firewall will listen for data redistribution queries (default is 5007).
- If the redistribution agent is a firewall or virtual system, enter the Collector Name and Collector Pre-Shared Key.
- Select the Data type that you want to redistribute.
- Serial Number—Select the Serial
Number of the Panorama you want to use from the list:
- Confirm that the agent is Enabled and click OK to save the configuration.
- Select CommitCommit and Push to activate your changes on Panorama and push the changes to the firewalls.
- Verify that Panorama and firewalls receive redistributed
data.
- View the agent statistics PanoramaData RedistributionAgents and select Status to view a summary of the activity for the redistribution agent, such as the number of mappings that the client firewall has received.
- Confirm the Source Name in the User-ID logs (MonitorLogsUser-ID) to verify that the firewall receives the mappings from the redistribution agents.
- View the IP-Tag log (MonitorLogsIP-Tag) to confirm that the client firewall receives data.
- Access the CLI of a firewall or Panorama management server that redistributes data.
- Display all the user mappings by running the following
command:
> show user ip-user-mapping all - Record the IP address associated with any one username.
- Access the CLI of a firewall or Panorama management server that receives redistributed data.
- Display the mapping information and authentication
timestamp for the <IP-address> you recorded:
> show user ip-user-mapping ip <IP-address> IP address: 192.0.2.0 (vsys1) User: corpdomain\username1 From: UIA Idle Timeout: 10229s Max. TTL: 10229s MFA Timestamp: first(1) - 2016/12/09 08:35:04 Group(s): corpdomain\groupname(621)This example output shows the timestamp for a response to one authentication challenge (factor). For Authentication rules that use multi-factor authentication (MFA), the output shows multiple timestamps.