topic Re: Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs in Prisma Access Discussions

Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs

VTQNetwork — Thu, 17 Oct 2024 14:27:37 GMT

Hi All,

I have a problem with user-id data redistribution from Prisma Access to on-prem (panorama).

I have 13 globalprotect gateways globally, I see the usernames in traffic logs for all gateways.

I redistribute user-id from prisma to on-prem panorama via service connection and then redistribute from panorama to on-prem firewalls.

Unfortunately, I have no user-id redistribution for 4 of 13 gateways in Panorama -> on-prem NGFWs, so user-based security policies does not work when user is connected to the "affected gateway".

Is it something I can fix on my side?

Kind Regards,

Kacper

Re: Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs

abhinav2308 — Sat, 19 Oct 2024 13:05:37 GMT

I have a questions
> Are those gateways [for which you are seeing the user ID] are connected to service connection?

Re: Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs

abhinav2308 — Sat, 19 Oct 2024 13:06:33 GMT

A small correction
for which you are not seeing the user ID

Re: Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs

VTQNetwork — Mon, 21 Oct 2024 06:13:08 GMT

I have two service connections.

Panorama is connected behind one of them.

Working gateway IS in the same compute center as SC connecting Panorama.

Not working gateways is another SC location and locations without SC.

For the testing purpose, I’ve connected two user-ids (IP address specified for two SCs) to the Panorama (behind one of these two SC).

I see status connected, but it does not change the situation.

Kacper

Re: Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs

abhinav2308 — Wed, 23 Oct 2024 08:37:41 GMT

Check if you have enabled the identity redistribution on that service connection (where the non working gateways are connected)

Check if you have enabled these option for the SC

ip to user

Ip to tag

User to tag

Re: Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs

VTQNetwork — Fri, 25 Oct 2024 14:37:41 GMT

OK, I've connected firewall in the site of another SC to sc-user-id for that location...

And it changes nothing. I see the user-id data for the same gateways as before, but the broken are still broken.

Escalating in TAC...

Kind Regards,

Kacper

Re: Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs

VTQNetwork — Fri, 25 Oct 2024 14:53:59 GMT

Users connected:

Gateway OK: 192.168.227.13

Gateway NOK: 192.168.229.46

User-id info:

admin@panorama> show user ip-user-mapping-mp all | match as.test
192.168.227.13 REDIST as.test@domain 10187 100.107.127.169

admin@firewall(active)> show user ip-user-mapping-mp all | match as.test
192.168.227.13 vsys1 REDIST domain\as.test 10466 100.107.127.169

@abhinav2308 : What do you mean by "Check if you have enabled the identity redistribution on that service connection "?

Kacper

Re: Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs

abhinav2308 — Mon, 28 Oct 2024 12:12:01 GMT

Identity redistribution is same as user id redistribution

Also the commands which you executed

These need to be executed on the gateway by TAC

I would suggest you to open a case.with the TAC team

Also you can refer to this document for the identity redistribution

Re: Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs

abhinav2308 — Mon, 28 Oct 2024 12:13:56 GMT

https://docs.paloaltonetworks.com/prisma/prisma-access/3-2/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/redistribute-userid-information-for-users-and-networks

Re: Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs

VTQNetwork — Mon, 28 Oct 2024 15:25:00 GMT

Thanks.

Yeah, I already know this document by heart 😉

I also have support case open for 2 weeks, but here I have better support than with TAC...

My question is one (if you have the Prisma):
Is only one SC user-id enough to get info about all users connected to all gateways globally?

Or if I have 3 SC in 3 sites, should I connect all 3 user-ids from all 3 sites with SC?

Kind Regards,

Kacper

Re: Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs

abhinav2308 — Tue, 29 Oct 2024 15:50:45 GMT

One service connection configured as user id is enough
for user id you need only two things

> agent
> collector
here your service connection will act as a collector, the main task of collector is collect the user-id

and so what I know is only one service connection is enough to configure.

I will check more about this and update you

Re: Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs

nikoolayy1 — Wed, 20 Nov 2024 08:50:22 GMT

There is new a feature to select which SC is used for identity redistribution if you have several https://docs.paloaltonetworks.com/prisma-access/release-notes/5-0/prisma-access-about/new-features

Re: Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs

VTQNetwork — Thu, 21 Nov 2024 11:35:15 GMT

Great news, thank you!

"By default, all of your service connections, in order of proximity, are used for identity redistribution. However, you may not know which specific service connections are being used for identity redistribution at a given moment. And, depending on the number of service connections you have and the number of User-ID agents you’ve configured, this method for identity redistribution can test the limits of your system resources. To solve this, we now give you the option to decide which service connections you want to use for identity redistribution."

The "proximity" in my case was in the 5000km radius 😉

With the new feature deployment I should be able to manage redistribution.

Re: Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs

VTQNetwork — Thu, 21 Nov 2024 11:38:11 GMT

TAC helped me to solve it. I've had third SC defined, but not used. The lost user-id was being there. So the correct answer is - you MUST connect all SC user-ids even if you think you do not use it. Nobody knows the "proximity" definition.

I'll mark your answer with a link to manual as the solution. It was written "repeat with all"....

Thank you!

Re: Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs

abhinav2308 — Sat, 23 Nov 2024 05:32:41 GMT

got to know something new
thank you for the information