Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-25-2018 07:24 AM
Hi Guys,
For one our customer we have two virtual cluster - frontend and backend firewalls. On the frontend firewall we have Global Protect enabled, with LDAP and User-Group Mapping, assign different access for different user group. Connected users should be able to reach some internal resources behind the backend firewall as well.
We have configured the frontend firewall to act as User-ID agent and to redistribute the user-ip mapping learned from global protect to the backend firewall.
When GP user is log in we can see correct user-ip-mapping on both firewalls:
user@frontend-fw(active)> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.94.1.2 vsys1 GP abc.com\test.user 8071 8071
user@backend-fw(active)> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.94.1.2 vsys1 UIA abc.com\test.user 8016 8016
However the backend firewall doesn't show the source username in the logs also the ACC tab doesn't show the traffic for this user. Our main goal is to have user-id information on the backend firewall as well for reporting and audit purposes .
Any help will be highly appreciated!
07-25-2018 07:48 AM - edited 07-27-2018 12:52 AM
Thank you for the detailed issue description! User-ID redistribution to the backend firewalls looks to be working from what you describe; have you checked that User Identification is enabled on the corresponding zone on the backend firewall? Does the interface on the backend firewall have an interface management profile attached with User-ID enabled?
Thanks,
Luke.
07-25-2018 07:48 AM - edited 07-27-2018 12:52 AM
Thank you for the detailed issue description! User-ID redistribution to the backend firewalls looks to be working from what you describe; have you checked that User Identification is enabled on the corresponding zone on the backend firewall? Does the interface on the backend firewall have an interface management profile attached with User-ID enabled?
Thanks,
Luke.
07-27-2018 01:25 AM
Hi @LukeBullimore,
Thank you for your feedback! Indeed enabling the user identification under the zone object did the trick. I was mainly focused on establishing the redistribution and completely forgot about the zone configuration.
For whomever intersted, the complete step we did were:
1. On frontend firewall (the one with GP enabled) we have enabled User-ID redistribution (Device -> User ID-> User Mapping -> PAN user agent setup -> Redistribution
2. On frontend firewall, we have enabled User-ID on in the interface management profile for the interface facing the backend firewall
3. On backend firewall, we have configured frontend fw as user-id agent
4. On backend, we have add destination service route to use the interface facing the frontend firewall
5. On backend, we have enabled user-id on the zone where the GP users are hitting the backend
6. On the backend, we have configured GP IP pool in the include networks for the user-id, under the zone, to filter out all other traffic that doesn't have user-ip mapping
Luke, thanks again for prompt assistance!
Best Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
