How to work about multiple User-ID Agent in an appliance ?

Reply
Highlighted
L2 Linker

How to work about multiple User-ID Agent in an appliance ?

Hi,

 

I have 3 domains in different locations (US, CN, TW) each one have its own User-ID agent.

We deployed PA-3020 in each location and each one had set those 3 User-ID agents in the User-ID Agent configuration.

 

If a user account belong to US and it login at CN, how does the PA appliance to get account information ? 

Does the PA in CN ask all 3 User-ID Agent ? 

 

My customr concern about there are too many traffic to occupy their MPLS WAN bandwidth.

I need to know the whole process and if we have some Doc. about this would be better.

 

Thanks a lot.

Highlighted
L5 Sessionator

Hi,

 

Short question, did you not configure AD replication between your site ?

Peaple in the US shold not use AD in TW for opening session ..

 

Then 1 palo, 1 agent per site should be enough. Depend of you replication time between ADs.

 

Hope help.

 

V.

Highlighted
L7 Applicator

The Palo Alto firewalls do not communicate with each other.  They each only know about the user-id associations they get from agents associated with that firewall.

 

With AD and user-id, the key to remember is that the ip address association for the user login will be in the server event log that authenticates the user.  These local event log messages with the user and ip address only exist on the server that authenticates the user locally.  These event message do not replicate as AD data does through the AD database.

 

So for each firewall you will need to see how your rules are written for user-id and where the user was authenticated by AD.

 

For example, if all of your rules are based on local users going out of the site, you likely only need the local AD for the firewall.  When you login to any of your forest domains, this will be serviced by the local AD and logged there even if the actual account was created in one of the other two domains.

 

But if your have inbound rules from the other two sites coming into the local site that require user-id, you likely will need the agent input from the remote AD because that is where the authentication took place.

 

The other complication could come if you are using nat between any of the sites.  Because the user-id will be based on the real ip address and if you nat that address the association would be lost.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
L6 Presenter

Hi...I just want to clarify on the comment about the PAs not communicating with each other.  With respect to userID, when we enable the userID agent on the PA appliance, we can configure redistribution and defining a collector.  This will allow the local PA to act as a user mapping redistribution point for other firewalls on your network.

Highlighted
L5 Sessionator

Hi Rmonvon,

 

that is correct - if you enable UserID redistribution, that information will be shared, but why would you enable it in above scenario, what is the benefit of it? Steve and Vince are both right, Steve elaborated a bit but we could probably tell you better if you explained your situation a bit more, what are you sharing between the sites...

 

in any case, there is no document that tells bandwidth used between firewalls or UserID towards the firewall, but in terms of having the least traffic possible while all firewalls know information of each-other users, I would say UserID redistribution is the way to go because that should have the least overhead. If one firewall aggregates and distributes to others it is less traffic. Let's represent it this way, X, Y and Z are firewalls while x, y and z are their agents on the respective locations. Now:

 

If Z is collector, than you have 7 communication directions:

x <- X (firewall X polls agent x)

X <- Z (firewall Z that collects polls firewall X)

y <- Y (firewall Y polls agent y)

Y <- Z

z <- Z

Z -> X (redistribution from Z about Y users goes to X)

Z -> Y

 

If there is no collector, you have nine:

x <- X

y <- X

z <- X

x <- Y

y <- Y

z <- Y

x <- Z

y <- Z

z <- Z

 

Unfortunately, I don't think there is any documents stating bandwidth used for UserID or between HA ports (I know I was looking for such documents before and could not find any :D), but for UserID you might be able to calculate it based on one bandwidth between agent and firewall (you can monitor that for a day and multiply for those scenarios above, I don't think there is any difference between information sent from agent to firewall or it being sent from firewall to firewall, almost the same xml file is delivered).

 

Hope it helps a bit :)

 

regards

 

Luciano

Highlighted
L2 Linker

Hi,

 

Thank you for your suggestion.

There is no replication so I think I need to deploy all User-ID agenet at each one PA appliance.

But that is a good point, I would like to set replication in each site.

Highlighted
L2 Linker

Hi,

 

Many thanks for your clearly discription.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!