User-ID Redistributed users not the log file

Reply
L4 Transporter

User-ID Redistributed users not the log file

Hi Guys,

 

For one our customer we have two virtual cluster - frontend and backend firewalls. On the frontend firewall we have Global Protect enabled, with LDAP and User-Group Mapping, assign different access for different user group. Connected users should be able to reach some internal resources behind the backend firewall as well.

We have configured the frontend firewall to act as User-ID agent and to redistribute the user-ip mapping learned from global protect to the backend firewall.

When GP user is log in we can see correct user-ip-mapping on both firewalls:

user@frontend-fw(active)> show user ip-user-mapping all

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.94.1.2       vsys1  GP      abc.com\test.user           8071           8071         

 

user@backend-fw(active)> show user ip-user-mapping all

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.94.1.2       vsys1  UIA     abc.com\test.user           8016           8016         

However the backend firewall doesn't show the source username in the logs also the ACC tab doesn't show the traffic for this user. Our main goal is to have user-id information on the backend firewall as well for reporting and audit purposes .

 

Any help will be highly appreciated!

Tags (1)
L5 Sessionator

Re: User-ID Redistributed users not the log file

Hi @Alexander.Astardzhiev

 

Thank you for the detailed issue description! User-ID redistribution to the backend firewalls looks to be working from what you describe; have you checked that User Identification is enabled on the corresponding zone on the backend firewall? Does the interface on the backend firewall have an interface management profile attached with User-ID enabled?

 

Thanks,

Luke.

Highlighted
L4 Transporter

Re: User-ID Redistributed users not the log file

Hi @LukeBullimore,

 

Thank you for your feedback! Indeed enabling the user identification under the zone object did the trick. I was mainly focused on establishing the redistribution and completely forgot about the zone configuration.

 

For whomever intersted, the complete step we did were:

1. On frontend firewall (the one with GP enabled) we have enabled User-ID redistribution (Device -> User ID-> User Mapping -> PAN user agent setup -> Redistribution

2. On frontend firewall, we have enabled User-ID on in the interface management profile for the interface facing the backend firewall

3. On backend firewall, we have configured frontend fw as user-id agent

4. On backend, we have add destination service route to use the interface facing the frontend firewall
5. On backend, we have enabled user-id on the zone where the GP users are hitting the backend

6. On the backend, we have configured GP IP pool in the include networks for the user-id, under the zone, to filter out all other traffic that doesn't have user-ip mapping

 

Luke, thanks again for prompt assistance!

Best Regards

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!