topic Re: adding more than one UIA agent on firewall? in General Topics

adding more than one UIA agent on firewall?

kchopra01 — Wed, 30 May 2018 13:40:45 GMT

Hi Techies,

I have a small doubt whether I can add more than one UIA server in my firewall in the sense that they should behave kind of active passive .

Requirement is something like that I want to secure user id functionality on firewall so that if one of my UIA gets down , then firewall should contact other UIA server for that....

Let me know if we have any solution for it ...

Re: adding more than one UIA agent on firewall?

OtakarKlier — Wed, 30 May 2018 14:22:39 GMT

Hello,

Yes you can have the PAN monitor more than one user-id agent. I have two just to keep things simple and redundant, I have a small environment.

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-user-id-agent/configure-the-windows-based-user-id-agent-for-user-mapping

Hope that helps.

Regards,

Re: adding more than one UIA agent on firewall?

kchopra01 — Wed, 30 May 2018 14:34:46 GMT

oh thats great if you are using it already !

But I have one doubt , whether panos reads those both servers in sequence ( kind of active -passive style) or it monitors both simulatenously ?

Also, if it monitors both at the same time then isn't it it creates problem ? because it is reading logs from both UIA, so whose result it will give to firewall ?? UIA1 or 2 ?

sorry if it sounds silly but i need clarity before implementing..

thanks

Re: adding more than one UIA agent on firewall?

OtakarKlier — Wed, 30 May 2018 14:43:21 GMT

Hello,

Your concerns are very valid. It monitors and ingests the information from both agents at the same time on an interval. I belevie it uses timestamps from the windows event logs to resolve conflicts, i.e. one IP has two names.

https://live.paloaltonetworks.com/t5/Configuration-Articles/User-ID-Agent-Setup-Tips/ta-p/54755

Hope that helps.

Re: adding more than one UIA agent on firewall?

kchopra01 — Thu, 31 May 2018 06:26:31 GMT

Hey thanks man for the solution....

So , i just need to add just one more UIA under device>user identification> user id agent and thats it right ??

In that way , I would be seein two servers connected ( green) and my firewall will talk to two servers at the same time and if there is any conflict, it would read windows event logs.....to cross verif and send results ...right ?

Re: adding more than one UIA agent on firewall?

Remo — Thu, 31 May 2018 07:07:44 GMT

The UIA reads the windows event logs continuously to provide the most current User-IP mappings to the firewall. The firewall then talks to both UIAs and always uses the most current timestamp for an IP. So lets assume the following:

UIA1: domain\johndoe 20180531-06:10:34 10.10.10.10

UIA2: domain\johndoe 20180531-07:23:26 10.10.10.10

In this case the firewall would have received the mapping first from UIA1. As soon as the new mapping is present on UIA2 the firewall updates it's user-ip-mapping table with the new event from UIA2.

Re: adding more than one UIA agent on firewall?

kchopra01 — Thu, 31 May 2018 07:37:52 GMT

Thanks man...i got it now...