Redistribute Data to Managed Firewalls
Table of Contents
Redistribute Data to Managed Firewalls
To ensure all the firewalls that enforce policies
and generate reports have the required data and authentication timestamps for your policy
rules, you can leverage your Panorama infrastructure to redistribute
the mappings and timestamps.
- Configure the Panorama management server to redistribute data.
- Add firewalls, virtual systems, or Windows User-ID agents as redistribution agents to Panorama:
- Select and Add each redistribution agent.
- Enter a Name to identify the redistribution agent.
- Confirm that the agent is Enabled.
- Enter the Host name or IP address of the MGT interface on firewall.
- Enter the Port number on which the firewall will listen for data redistribution queries (default is 5007).
- If the redistribution agent is a firewall or virtual system, enter the Collector Name and Collector Pre-Shared Key.
- Select the Data type that you want to
redistribute. You can select all data types, but you must select
at least one of the following data types:
- IP User Mappings
- IP Tags
- User Tags
- HIP
- Quarantine List
- Click OK to save the configuration.
Enable the Panorama MGT interface to respond to data redistribution queries from firewalls:If the Panorama management server has a high availability (HA) configuration, perform this step on each HA peer as a best practice so that redistribution continues if Panorama fails over.- Select and Management.
- Select User-ID in the Network Services section and click OK.
Select to activate your changes on Panorama.Configure firewalls to receive data that Panorama redistributes.- Select then select the Template to which the firewalls are assigned.Add an agent and enter a Name.Select how you want to add the agent:
- Serial Number—Select the Serial
Number of the Panorama you want to use from the list:
- panorama—The active or solitary Panorama
- panorama2—(HA only) The passive Panorama
- Host and Port—Specify the following information:
- Select the Host name or IP address of the MGT interface on firewall.
- Select whether the host is an LDAP Proxy.
- Enter the Port number on which the firewall will listen for data redistribution queries (default is 5007).
- If the redistribution agent is a firewall or virtual system, enter the Collector Name and Collector Pre-Shared Key.
- Select the Data type that you want to redistribute.
Confirm that the agent is Enabled and click OK to save the configuration.Select to activate your changes on Panorama and push the changes to the firewalls.Verify that Panorama and firewalls receive redistributed data.- View the agent statistics and select Status to view a summary of the activity for the redistribution agent, such as the number of mappings that the client firewall has received.Confirm the Source Name in the User-ID logs () to verify that the firewall receives the mappings from the redistribution agents.View the IP-Tag log () to confirm that the client firewall receives data.Access the CLI of a firewall or Panorama management server that redistributes data.Display all the user mappings by running the following command:
> show user ip-user-mapping allRecord the IP address associated with any one username.Access the CLI of a firewall or Panorama management server that receives redistributed data.Display the mapping information and authentication timestamp for the <IP-address> you recorded:> show user ip-user-mapping ip <IP-address> IP address: 192.0.2.0 (vsys1) User: corpdomain\username1 From: UIA Idle Timeout: 10229s Max. TTL: 10229s MFA Timestamp: first(1) - 2016/12/09 08:35:04 Group(s): corpdomain\groupname(621)This example output shows the timestamp for a response to one authentication challenge (factor). For Authentication rules that use multi-factor authentication (MFA), the output shows multiple timestamps.
