topic Re: How to work about multiple User-ID Agent in an appliance ? in General Topics

How to work about multiple User-ID Agent in an appliance ?

neilwu — Tue, 01 Sep 2015 11:44:20 GMT

Hi,

I have 3 domains in different locations (US, CN, TW) each one have its own User-ID agent.

We deployed PA-3020 in each location and each one had set those 3 User-ID agents in the User-ID Agent configuration.

If a user account belong to US and it login at CN, how does the PA appliance to get account information ?

Does the PA in CN ask all 3 User-ID Agent ?

My customr concern about there are too many traffic to occupy their MPLS WAN bandwidth.

I need to know the whole process and if we have some Doc. about this would be better.

Thanks a lot.

Re: How to work about multiple User-ID Agent in an appliance ?

VinceM — Tue, 01 Sep 2015 13:02:11 GMT

Hi,

Short question, did you not configure AD replication between your site ?

Peaple in the US shold not use AD in TW for opening session ..

Then 1 palo, 1 agent per site should be enough. Depend of you replication time between ADs.

Hope help.

Re: How to work about multiple User-ID Agent in an appliance ?

pulukas — Tue, 01 Sep 2015 21:52:00 GMT

The Palo Alto firewalls do not communicate with each other. They each only know about the user-id associations they get from agents associated with that firewall.

With AD and user-id, the key to remember is that the ip address association for the user login will be in the server event log that authenticates the user. These local event log messages with the user and ip address only exist on the server that authenticates the user locally. These event message do not replicate as AD data does through the AD database.

So for each firewall you will need to see how your rules are written for user-id and where the user was authenticated by AD.

For example, if all of your rules are based on local users going out of the site, you likely only need the local AD for the firewall. When you login to any of your forest domains, this will be serviced by the local AD and logged there even if the actual account was created in one of the other two domains.

But if your have inbound rules from the other two sites coming into the local site that require user-id, you likely will need the agent input from the remote AD because that is where the authentication took place.

The other complication could come if you are using nat between any of the sites. Because the user-id will be based on the real ip address and if you nat that address the association would be lost.

Re: How to work about multiple User-ID Agent in an appliance ?

rmonvon — Wed, 02 Sep 2015 14:29:04 GMT

Hi...I just want to clarify on the comment about the PAs not communicating with each other. With respect to userID, when we enable the userID agent on the PA appliance, we can configure redistribution and defining a collector. This will allow the local PA to act as a user mapping redistribution point for other firewalls on your network.

Re: How to work about multiple User-ID Agent in an appliance ?

Lucky — Wed, 02 Sep 2015 17:53:17 GMT

Hi Rmonvon,

that is correct - if you enable UserID redistribution, that information will be shared, but why would you enable it in above scenario, what is the benefit of it? Steve and Vince are both right, Steve elaborated a bit but we could probably tell you better if you explained your situation a bit more, what are you sharing between the sites...

in any case, there is no document that tells bandwidth used between firewalls or UserID towards the firewall, but in terms of having the least traffic possible while all firewalls know information of each-other users, I would say UserID redistribution is the way to go because that should have the least overhead. If one firewall aggregates and distributes to others it is less traffic. Let's represent it this way, X, Y and Z are firewalls while x, y and z are their agents on the respective locations. Now:

If Z is collector, than you have 7 communication directions:

x <- X (firewall X polls agent x)

X <- Z (firewall Z that collects polls firewall X)

y <- Y (firewall Y polls agent y)

Y <- Z

z <- Z

Z -> X (redistribution from Z about Y users goes to X)

Z -> Y

If there is no collector, you have nine:

x <- X

y <- X

z <- X

x <- Y

y <- Y

z <- Y

x <- Z

y <- Z

z <- Z

Unfortunately, I don't think there is any documents stating bandwidth used for UserID or between HA ports (I know I was looking for such documents before and could not find any :D), but for UserID you might be able to calculate it based on one bandwidth between agent and firewall (you can monitor that for a day and multiply for those scenarios above, I don't think there is any difference between information sent from agent to firewall or it being sent from firewall to firewall, almost the same xml file is delivered).

Hope it helps a bit 🙂

regards

Luciano

Re: How to work about multiple User-ID Agent in an appliance ?

neilwu — Thu, 03 Sep 2015 02:23:38 GMT

Hi,

Thank you for your suggestion.

There is no replication so I think I need to deploy all User-ID agenet at each one PA appliance.

But that is a good point, I would like to set replication in each site.

Re: How to work about multiple User-ID Agent in an appliance ?

neilwu — Thu, 03 Sep 2015 02:29:12 GMT

Hi,

Many thanks for your clearly discription.