Data redistribution: mappings learned via agentless user-id are okay, mappings via globalprotect(type GP) not redistributed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Data redistribution: mappings learned via agentless user-id are okay, mappings via globalprotect(type GP) not redistributed

L2 Linker

Hello. 

so I'm setting up data redistribution (mainly for user-id) between 2 clusters. 

1 cluster has a globalprotect license and a working internal gateway (this solution will in time completely replace the agentless user-id)

 

I configured data redistribution. 

GP-firewall is configured with a collector name( multi vsys setup) and even sees 1 client connected (idle)

 

2nd firewall is configured with agent config using host and port (didn't work on serial) and status is connected. 

when I try to use the serial method I can select: none, panorama or panorama2. I don't see any serial numbers nor do I see anything indicating it's possibly my other firewall. 

yes there is a panorama, but It's a standalone vm and I would therefore like to avoid using it as that would create a single point of failure for user-id polices (panorama down and the 2nd firewall doesn't get any user-ip mappings anymore from gp)



when I log into cli of the 2nd firewall and do a show user ip-user mapping all I see a load of user to ip mappings all of type REDIST( indicating redistribution seems to be working. 
only exception the 5-10 users currently testing the Globalprotect method aren't seen. 
no entries for their usernames or ip's. 

so despite all documentation and some posts here stating data redistribution does not care about teh source it seems it's not redistributing any user-mappings of type GP. 


1 accepted solution

Accepted Solutions

L6 Presenter

You are using version 10 as you are mentioning data redistribution and not user redistribution?

 

Shouldn't the second firewall to also be the client if you want to see the globalprotect users from the first firewall? Maybe you think that the redistribution is in two directions but it is not so you need to configure firewall 1 to be client and agent and also firewall 2 to be client and agent. This is why better have a central redistribution point like panorama and if it is VM you can still make snapshots.

 

 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-data-redistrib...

 

 

 

On the first firewall you see the globalprotect users that have connected to it when you do view ip-user mappings?

 

 

If your config is correct then maybe still test with the Panorama and mind that version is still not stable and it could be a bug also maybe the VSYS is causing issues, when you configure an agent there is no selection of a vsys so it should redistribute the info from all vsys but who knows a I mentioned 10.0. is not stable.

View solution in original post

2 REPLIES 2

L6 Presenter

You are using version 10 as you are mentioning data redistribution and not user redistribution?

 

Shouldn't the second firewall to also be the client if you want to see the globalprotect users from the first firewall? Maybe you think that the redistribution is in two directions but it is not so you need to configure firewall 1 to be client and agent and also firewall 2 to be client and agent. This is why better have a central redistribution point like panorama and if it is VM you can still make snapshots.

 

 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-data-redistrib...

 

 

 

On the first firewall you see the globalprotect users that have connected to it when you do view ip-user mappings?

 

 

If your config is correct then maybe still test with the Panorama and mind that version is still not stable and it could be a bug also maybe the VSYS is causing issues, when you configure an agent there is no selection of a vsys so it should redistribute the info from all vsys but who knows a I mentioned 10.0. is not stable.

Hello.
so yes I'm using data redistribution.
the setup is 1 firewall cluster collects all user data and redistributes to the 2nd.
so the 2nd is only a client, the 1st is only an agent.

user mappings on the first firewall are all okay( both agentless and globalprotect)

however I decided to use an old cisco asa trick when config (that should work) is not working on it: delete the entire config and set it up again.

and after this I finally got the globalprotect users to also show up.
I did nothing different(used same names, interfaces, zones, settings...
so I'm guessing possibly a bug in 10.0.3 or something.

I see that version 10.0.5 has become preferred just recently. so will upgrade both firewalls to this version

  • 1 accepted solution
  • 4022 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!