topic Re: Redistribute Global protect mappings to another FW in General Topics

Redistribute Global protect mappings to another FW

BigPalo — Thu, 05 Jul 2018 10:30:21 GMT

Hi,

We can not identify GP users in a remote FW. We can see all AD mappings but not GP. I explain the scenario:

INTERNET ---------------> FW Central (gateway GP) -----> MPLS --------------> Remote FW PALO ALTO

both PA are integrated with LDAP, but not have userid agents.

We can see the AD users in both PA, but when a user is connecting by Global protect, the remote FW Palo Alto can NOT identify the mapping USER/IP.

In FW Central we can see 10.0.0.1 domain/david.james GP

but in FW remote 10.0.0.1 uknown unknown

This is normal because GP is only in FW Central, but there is any way to redistribute the GP mapping to the remote FW???

thanks

Re: Redistribute Global protect mappings to another FW

santonic — Thu, 05 Jul 2018 13:04:16 GMT

Yes, you can redistribute User-ID infor between PA firewalls.

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/deploy-user-id-in-a-large-scale-network/redistribute-user-mappings-and-authentication-timestamps/configure-user-id-redistribution

Re: Redistribute Global protect mappings to another FW

BigPalo — Thu, 05 Jul 2018 13:13:37 GMT

Yes, but without userid agents? and GP users information?

what config we have to do in the FW which will receive the mappings??? i see that we only configure the FW will send the mappings, but in the fw receiving?

Re: Redistribute Global protect mappings to another FW

santonic — Thu, 05 Jul 2018 13:18:36 GMT

You don't need agents for GP users. PA which terminates GP connections has all the info about these users.

On receiving PA you set the first PA as User-ID agent.

Re: Redistribute Global protect mappings to another FW

BigPalo — Thu, 05 Jul 2018 13:47:32 GMT

Ues, i know its not necessary agents for GP. But a FW can send all GP users info matches to another FWs???? or the FW can only send UIA/AD info to another FW?

Re: Redistribute Global protect mappings to another FW

santonic — Fri, 06 Jul 2018 05:51:25 GMT

It redistributes User-ID info no matter which source it came from (GP, User-ID agent, AD, syslog...)

Re: Redistribute Global protect mappings to another FW

Remo — Sun, 08 Jul 2018 10:19:48 GMT

@santonic wrote:
It redistributes User-ID info no matter which source it came from (GP, User-ID agent, AD, syslog...)

The only exception are mappings from Terminal Server agents which cannot be redistributed.