Correct way to setup UserID redistribution

cancel
Showing results for 
Search instead for 
Did you mean: 

Correct way to setup UserID redistribution

L0 Member

Hi there,

 

I'm looking for the correct way to build our UserID redistribution topology based on our enterprise needs.

 

We have 1 Panorama appliance, 4 PA3020 hosting a GP Gateway component and 50 PA3020 for remote offices.

 

Our only source for UserID is the GP Gateways.

 

I've set up Panorama to retrieve UserID information from our 4 GP Gateway and our remote offices firewalls to pull UserID from Panorama, this works just fine.

 

I also need to have our whole company UserID database on the 4 GP Gateways. Won't it create a topology loop if I tell our GP Gateways to also retrieve UserID from Panorama?

 

Thanks for your help.

2 REPLIES 2

L7 Applicator

firewalls only share information they 'learned locally' to redistribution, so anything they learn FROM redistribution won't be fed back into it

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN

Hi @reaper,

 

I was hoping for what you said to be true, but in our environment we see the opposite.

 

We have two separate firewalls with GP portal and gateway on each. We have configured user-id redistribution between the two firewalls (in both directions). So each FW1 should redistribute user-id from local gp to FW2 and vice versa.

 

From the user-id logs below you can see that when user connect to GP on FW1 it will redistribute it to FW2, but FW2 will redistribute the same entry back to FW1.

AlexanderAstardzhiev_0-1613981697710.png

 

It is probably worth mentioning that we are using pre-logon GP  and fw receives only the username (without the domain) from gp, so we had to put the domain in authentication profile. This probably explain why "user provided by source" for any gp related logs is only username.

 

I am looking for a way to avoid this "redistribution loop", but so far no luck.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!