User-ID Hierarchy Design

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID Hierarchy Design

L0 Member

So we have our device groups laid out like this, there’s more but you get the idea. Shared > Regional > Site.

The devices are members of the Site device group, and have a master device allowing me to push User-ID rules down through Panorama. If I want to do Regional or Shared User-ID rules, I have to collapse the device groups so they’re all members of the same group (so I would have to delete all the Site groups and put them all into a Regional one, and assign a master device).

 

When talking with a colleague he recommended putting in a “Collector” device group above the regional ones, put a spare box in there as the master and it should cascade the group mappings down (in Panorama). It didn’t.

 

The documentation I’ve read online either covers how to handle large network User-ID redistribution, OR device group management for policies – but never together. We want to be able to do this because people move between sites within a region and don’t want to have to replicate all the rules or manage two sets of rules.

1 REPLY 1

L7 Applicator

Hi,

 

First, what Panorama Version are you using?

This is probably not the step-by-step solution you need, but may be it will at least help a little with your setup.

 

I have tested with the following DG hierarchy:

Shared

----->Site 1

---------->Cluster 1

---------->Cluster 2

----->Site 2

---------->Cluster 3

---------->Cluster 4

...

 

In this setup I have (logically) a master device per Cluster Devicegroup from where Panorama gets the User-Group-Data.

 

All firewalls have group mapping settings configured to get all the AD-Usergroups but only one cluster per site is reading the DC security logs for the login events. The other ones pull the user-ip-mappings from the first cluster. Even the clusters are distributed over different sites they are pulling the usergroups all from the same set of servers, so all clusters have all the necessary usergroups.

 

Like this I able to configure user-based firewallrules in the "Site #" and Shared Devicegroup(s) because Panorama merges all the groups from the different devicegroups together and makes them selectable in the upper devicegroups.

 

I am using Panorama on PAN-OS 8.0.2 (tested also with 8.0.1 und 8.0.0)

 

Regards,

Remo

  • 1558 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!