How to Configure and Verify User-ID Collector in PAN-OS

Printer Friendly Page

Overview

Palo Alto Networks firewall can be configured as a collector and redistribute user mapping information to other Palo Alto Networks firewalls on your network. This document describes how to configure a redistribution firewall and verify the configuration from the CLI.

 

Note:

  • Only the user mapping information collected by the agentless User-ID (PAN-OS User Mapping) feature will be redistributed to the other firewalls.
  • If you have multiple firewalls that need to pull mappings from collector, all of them should specify the collector name in the user id agent tab.
  • The collector will not redistribute the mappings from terminal server - this is expected behavior.

 

Steps

  1. Navigate to Device > User Identification
  2. In the User Mapping tab, click the edit icon
    Screen Shot 2013-02-06 at 11.46.37 AM.png
  3. Configure the collector from the Redistribution tab by entering a Collector Name and a Pre-Shared Key. This information is used by the firewalls that will pull user mapping information.
    collector.JPG
  4. Check for the Collector Name on the Device > User Identification > User Mapping tab. The image below also shows that user mapping has been configured for an Active Directory server.
    userid_collector.JPG
  5. Ensure the User-ID service is enabled on a Management Interface profile
  6. Navigate to Network > Network Profiles > Interface Mgmt
  7. Open the profile applied to the appropriate interface or add a new profile
  8. Enable the User-ID Service in the profile

Note: If you are using a Dataplane interface, configure a service route for that interface on the UID Agent selection.

Screen Shot 2013-02-06 at 1.32.32 PM.png

        9. Commit the changes. This completes the configuration of the collector.

 

Configure a Palo Alto Networks firewall to retrieve the IP-user mappings from the collector.

  1. Navigate to the User-ID Agents tab at Device > User Identification
  2. Click Add and enter values into the fields. The Collector Name and Pre-Shared Key fields should be the same as on the collector.
    connect_pan.JPG
  3. The firewall will connect to collector on port 5007. This cannot be modified.
  4. Commit the changes. The user mappings from Collector will appear on the firewall.

 

Verification

The following CLI commands can be used to verify that the collector service is up and the user mapping information is received on the other Palo Alto Networks firewalls.

  1. On the collector, display the status of the User-ID service
    > show user user-id-service status 
    userid_servce.JPG
  2. Display the clients/firewalls that are connected to the collector
    > show user user-id-service client all
    client_status.JPG
  3. Display the IP-user mapping on the collector
    > show user ip-user-mapping all
    mapping_collectr.JPG
  4. On the firewall which receives information from the collector, display the IP-user mapping
    > show user ip--user-mapping all
    mapping_client.JPG

 

See also

 

 

owner: sdarapuneni

Comments

Do you need to configure the Collector Name in the Redistribution tab for all the firewalls or just one firewall which can communicate to the Terminal server? My second question would be, the Collector Name in User Mapping tab. So,as I have understood, you specify the collector Name of the firewall where the user ip mapping is pulled from. Can you use this name on Multiple firewalls?

If you have multiple firewalls that need to pull mappings from collector, all of them should specify the collector name in the user id agent tab. Also note that the collector will not redistribute the mappings from terminal server - this is expected behavior.

What is the PAN guidance/best practice for this?  To me, having the user id agent on the firewall seems the most sensible thing to do, but I have heard that this may not be the recommended solution.  Are there parameters which affect the decision such as number of users, model of device and so on?

Ensure that the User-ID service is enabled on a Management Interface profile --> this should be done on the receiving Palo Alto, not on the sending one.

Also, I found that if I don't configure the collector name + pass, but enable the User-ID service on both Palo Altos, I can receive the user information from the other Palo Alto. Is this normal or a bug?

in this case the concept of collector is pretty broken.

It may be used by SMB, but for big corporation it's totally useless

Guessing XMLAPI mappings will not be distributed since it was pushed to the firewall via REST API?