Plan the redistribution architecture.
Some factors to consider are:
Which firewalls will
enforce policies for all users and which firewalls will enforce
region- or function-specific policies for a subset of users?
How many hops does the redistribution sequence require to
aggregate all User-ID information? The maximum allowed number of
hops is ten.
How can you minimize the number of firewalls that query the
user mapping information sources? The fewer the number of querying
firewalls, the lower the processing load is on both the firewalls
and sources.
Perform the following
steps on the firewalls in the User-ID redistribution sequence.
Configure the firewall to redistribute User-ID
information.
Skip this step if the firewall receives but does not redistribute
User-ID information.
Select DeviceUser IdentificationUser Mapping.
(Firewalls with multiple virtual systems only)
Select the Location. You must configure the
User-ID settings for each virtual system.
You can redistribute information among
virtual systems on different firewalls or on the same firewall.
In both cases, each virtual system counts as one hop in the redistribution sequence.
Edit the Palo Alto Networks User-ID Agent Setup and
select Redistribution.
Enter a Collector Name and Pre-Shared
Key to identify this firewall or virtual system as a
User-ID agent.
Click OK to save your changes.
Configure the service route that the firewall uses to
query other firewalls for User-ID information.
Skip this step if the firewall receives user mapping information
from Windows-based User-ID agents or directly from the information
sources (such as directory servers) instead of from other firewalls.
Select DeviceSetupServices.
(Firewalls with multiple virtual systems only)
Select Global (for a firewall-wide service
route) or Virtual Systems (for a virtual
system-specific service route), and then configure the service route.
Click Service Route Configuration,
select Customize, and select IPv4 or IPv6 based
on your network protocols. Configure the service route for both
protocols if your network uses both.
Select UID Agent and then select
the Source Interface and Source
Address.
Click OK twice to save the
service route.
Enable the firewall to respond when other firewalls query
it for User-ID information.
Skip this step if the firewall receives but does not redistribute
User-ID information.
Access the CLI of a firewall that redistributes
User-ID information.
Display all the user mappings by running the following
command:
> show user ip-user-mapping all
Record the IP address associated with any username.
Access the CLI of a firewall that receives redistributed
User-ID information.
Display the mapping information and authentication
timestamp for the <ip_address> you recorded:
> show user ip-user-mapping<ip_address>
IP address: 192.0.2.0 (vsys1)
User: corpdomain\username1
From: UIA
Idle Timeout: 10229s
Max. TTL: 10229s
MFA Timestamp: first(1) - 2016/12/09 08:35:04
Group(s): corpdomain\groupname(621)
This
example output shows the authentication timestamp for one response
to an authentication challenge (factor). For Authentication policy
rules that use Multi-Factor
Authentication (MFA), the output shows multiple Authentication
Timestamps.