: Redistribute Data to Managed Firewalls
Focus
Focus

Redistribute Data to Managed Firewalls

Table of Contents
End-of-Life (EoL)

Redistribute Data to Managed Firewalls

To ensure all the firewalls that enforce policies and generate reports have the required data and authentication timestamps for your policy rules, you can leverage your Panorama infrastructure to redistribute the mappings and timestamps.
  • Configure the Panorama management server to redistribute data.
    1. Add firewalls, virtual systems, or Windows User-ID agents as redistribution agents to Panorama:
      1. Select PanoramaData Redistribution and Add each redistribution agent.
      2. Enter a Name to identify the redistribution agent.
      3. Confirm that the agent is Enabled.
      4. Enter the Host name or IP address of the MGT interface on firewall.
      5. Enter the Port number on which the firewall will listen for data redistribution queries (default is 5007).
      6. If the redistribution agent is a firewall or virtual system, enter the Collector Name and Collector Pre-Shared Key.
      7. Select the Data type that you want to redistribute. You can select all data types, but you must select at least one of the following data types:
        • IP User Mappings
        • IP Tags
        • User Tags
        • HIP
        • Quarantine List
      8. Click OK to save the configuration.
    2. Enable the Panorama MGT interface to respond to data redistribution queries from firewalls:
      If the Panorama management server has a high availability (HA) configuration, perform this step on each HA peer as a best practice so that redistribution continues if Panorama fails over.
      1. Select PanoramaSetupInterfaces and Management.
      2. Select User-ID in the Network Services section and click OK.
    3. Select CommitCommit to Panorama to activate your changes on Panorama.
  • Configure firewalls to receive data that Panorama redistributes.
    1. Select DeviceData RedistributionAgents then select the Template to which the firewalls are assigned.
    2. Add an agent and enter a Name.
    3. Select how you want to add the agent:
      • Serial Number—Select the Serial Number of the Panorama you want to use from the list:
        • panorama—The active or solitary Panorama
        • panorama2—(HA only) The passive Panorama
      • Host and Port—Specify the following information:
        • Select the Host name or IP address of the MGT interface on firewall.
        • Select whether the host is an LDAP Proxy.
        • Enter the Port number on which the firewall will listen for data redistribution queries (default is 5007).
        • If the redistribution agent is a firewall or virtual system, enter the Collector Name and Collector Pre-Shared Key.
        • Select the Data type that you want to redistribute.
    4. Confirm that the agent is Enabled and click OK to save the configuration.
    5. Select CommitCommit and Push to activate your changes on Panorama and push the changes to the firewalls.
  • Verify that Panorama and firewalls receive redistributed data.
    1. View the agent statistics PanoramaData RedistributionAgents and select Status to view a summary of the activity for the redistribution agent, such as the number of mappings that the client firewall has received.
    2. Confirm the Source Name in the User-ID logs (MonitorLogsUser-ID) to verify that the firewall receives the mappings from the redistribution agents.
    3. View the IP-Tag log (MonitorLogsIP-Tag) to confirm that the client firewall receives data.
    4. Access the CLI of a firewall or Panorama management server that redistributes data.
    5. Display all the user mappings by running the following command:
      > show user ip-user-mapping all 
    6. Record the IP address associated with any one username.
    7. Access the CLI of a firewall or Panorama management server that receives redistributed data.
    8. Display the mapping information and authentication timestamp for the <IP-address> you recorded:
      > show user ip-user-mapping ip <IP-address>  
      IP address:    192.0.2.0 (vsys1) 
      User:          corpdomain\username1 
      From:          UIA 
      Idle Timeout:  10229s 
      Max. TTL:      10229s 
      MFA Timestamp: first(1) - 2016/12/09 08:35:04 
      Group(s):      corpdomain\groupname(621) 
      This example output shows the timestamp for a response to one authentication challenge (factor). For Authentication rules that use multi-factor authentication (MFA), the output shows multiple timestamps.