Streamlined and Resilient Redistribution
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Automatic Content Updates Through Offline Panorama
- Enhanced Authentication for Dedicated Log Collectors and WildFire Appliances
- Syslog Forwarding Using Ethernet Interfaces
- Increased Configuration Size for Panorama
- Access Domain Enhancements for Multi-Tenancy
- Enhanced Performance for Panorama Query and Reporting
- Log Query Debugging
- Configurable Key Limits in Scheduled Reports
- Multiple Plugin Support for Panorama
End-of-Life (EoL)
Streamlined and Resilient Redistribution
Redistribute data by configuring the source once and
selecting what type of information the source redistributes.
Data redistribution is now
more streamlined to configure and resilient after deployment. You
can now configure the source once, then select the type of information you
want it to redistribute and which devices should receive the redistributed
information from that source, instead of configuring the source
for each data type which can be time-consuming and repetitive.
You
can redistribute:
- User-ID mappings (including Windows User-ID agents)
- IP address-to-tag mappings for dynamic address groups
- username-to-tag mappings for dynamic user groups
- data for HIP-based Policy Enforcement
- device quarantine information (Panorama only)
Data redistribution
uses two components:
- The redistribution agent that provides information
- The redistribution client that connects to the agent to receive information
In addition, these improvements
help detect and prevent loops in redistribution (where a mapping
that does not contain the original source as it traverses the network
returns to its source, which could potentially treat it as a new
mapping).
- On a redistribution client firewall, configure
a firewall, Windows User-ID agent, or Panorama as an agent to redistribute
the data to the clients.
- Select DeviceData RedistributionAgents on the firewall or PanoramaData RedistributionAgents for Panorama.
- Add a redistribution agent.
- Enter a Name for the redistribution agent.
- Confirm that the agent is Enabled.
- Select whether you want to add the agent using its Serial Number or
its Host and Port numbers.
- To add an agent using a serial number, select the Serial Number of the firewall or Panorama you want to use as a redistribution agent.
- To add an agent using its host and port numbers:
- Enter the Host
- Select whether the host is an LDAP Proxy.
- Enter the Port (range is 1 to 65535).
- (Virtual systems only) Enter the Collector Name to identify which virtual system you want to use as a redistribution agent.
- (Virtual systems only) Enter and confirm the Collector Pre-Shared Key for the virtual system you want to use as a redistribution agent.
- Select the Data type or types
you want the agent to redistribute to the client.
- IP User Mappings—IP address-to-username mappings for User-ID.
- IP Tags—IP address-to-tag mappings for dynamic address groups.
- User Tags—Username-to-tag mappings for dynamic user groups.
- HIP—Host information profile (HIP) data from GlobalProtect, which includes HIP objects and profiles.
- Quarantine List—Devices that GlobalProtect identifies as compromised.
- (Virtual systems only) Configure a virtual system
as a collector that can redistribute data.Skip this step if the firewall receives but does not redistribute data.
- Select DeviceData RedistributionCollector Settings, then edit the Data Redistribution Agent Setup.
- Enter a Collector Name to identify the virtual system that you want receive redistribution information.
- Enter and confirm the Collector Pre-Shared Key for the virtual system that you want receive redistribution information.
- Click OK.
- (Optional but recommended) Configure which networks
you want the agent or agents to include in the data redistribution
and which networks you want to exclude from data redistribution. You can include or exclude networks and subnetworks when redistributing either IP address-to-tag mappings or IP address-to-username mappings.As a best practice, always specify which networks to include and exclude from redistribution to ensure that the agent is only communicating with internal resources.
- Select DeviceData RedistributionInclude/Exclude Networks.
- Add an entry and enter a Name for the entry.
- Ensure the entry is Enabled.
- Select whether you want to Include or Exclude the entry.
- Enter the Network Address for the entry.
- Click OK.
- (Optional but recommended) Enable Authentication with Custom Certificates for Redistribution to use a custom
certificate for mutual authentication between the redistribution
agents and the clients. Because Panorama can be either an agent or a client, use PanoramaData Redistribution to configure data redistribution on Panorama.
- Commit your changes.
- Verify the agents correctly redistribute data to the
clients.
- View the agent statistics DeviceData RedistributionAgents and select Status to view a summary of the activity for the redistribution agent, such as the number of mappings that the client firewall has received.
- Confirm that the Connected status is yes.
- Access the CLI and enter the following CLI command on the agent to check the status of the redistribution: show redistribution service status.
- Enter the following CLI command on the client to check the status of the redistribution: show redistribution service client all.
- Confirm the Source Name in the User-ID logs (MonitorLogsUser-ID) to verify that the firewall receives the mappings from the redistribution agents.
- On the client firewall, view the IP-Tag log (MonitorLogsIP-Tag) to confirm that the client firewall receives data.
- Enter the following CLI command and verify that the source the firewall receives the mappings From is REDIST: show user ip-user-mapping all.
- Enter the following CLI command to view the redistribution clients: show redistribution service client all.
- (Optional) To troubleshoot data redistribution,
enable the traceroute option. When you enable the traceroute option, the firewall that receives the data appends its IP address to the <route> field, which is a list of all firewall IP addresses that the data has traversed. This option requires that all PAN-OS devices in the redistribution route use PAN-OS version 10.0. If a PAN-OS device in the redistribution route uses PAN-OS 9.1.x or earlier versions, the traceroute information terminates at that device.
- On the redistribution agent where the source originates, enter the following CLI command: debug user-id test cp-login traceroute yes ip-address <ip-address> user <username> (where <ip-address> is the IP address of the IP address-to-username mapping you want to verify and <username> is the username of the IP address-to-username mapping you want to verify.
- On a client of the firewall where you configured the
traceroute, verify the firewall redistributes the data bidirectionally
by entering the following CLI command: show user ip-user-mapping all.The firewall displays the timestamp for the creation of the mapping (SeqNumber) and whether the user has GlobalProtect (GP User).
admin > show user ip-user-mapping-mp ip 192.0.2.0 IP address: 192.0.2.0 (vsys1) User: jimdoe From: REDIST Timeout: 889s Created: 11s ago Origin: 198.51.100.0 SeqNumber: 15895329682-67831262 GP User: No Local HIP: No Route Node 0: 198.51.100.0 (vsys1) Route Node 1: 198.51.100.1 (vsys1)