Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-17-2024 07:17 AM - edited 10-17-2024 07:27 AM
Hi All,
I have a problem with user-id data redistribution from Prisma Access to on-prem (panorama).
I have 13 globalprotect gateways globally, I see the usernames in traffic logs for all gateways.
I redistribute user-id from prisma to on-prem panorama via service connection and then redistribute from panorama to on-prem firewalls.
Unfortunately, I have no user-id redistribution for 4 of 13 gateways in Panorama -> on-prem NGFWs, so user-based security policies does not work when user is connected to the "affected gateway".
Is it something I can fix on my side?
Kind Regards,
Kacper
10-19-2024 06:05 AM
I have a questions
> Are those gateways [for which you are seeing the user ID] are connected to service connection?
10-19-2024 06:06 AM
A small correction
for which you are not seeing the user ID
10-20-2024 11:13 PM
I have two service connections.
Panorama is connected behind one of them.
Working gateway IS in the same compute center as SC connecting Panorama.
Not working gateways is another SC location and locations without SC.
For the testing purpose, I’ve connected two user-ids (IP address specified for two SCs) to the Panorama (behind one of these two SC).
I see status connected, but it does not change the situation.
Kacper
10-23-2024 01:37 AM
Check if you have enabled the identity redistribution on that service connection (where the non working gateways are connected)
Check if you have enabled these option for the SC
ip to user
Ip to tag
User to tag
10-25-2024 07:37 AM
OK, I've connected firewall in the site of another SC to sc-user-id for that location...
And it changes nothing. I see the user-id data for the same gateways as before, but the broken are still broken.
Escalating in TAC...
Kind Regards,
Kacper
10-25-2024 07:49 AM - edited 10-25-2024 07:53 AM
Users connected:
Gateway OK: 192.168.227.13
Gateway NOK: 192.168.229.46
User-id info:
admin@panorama> show user ip-user-mapping-mp all | match as.test
192.168.227.13 REDIST as.test@domain 10187 100.107.127.169
admin@firewall(active)> show user ip-user-mapping-mp all | match as.test
192.168.227.13 vsys1 REDIST domain\as.test 10466 100.107.127.169
@abhinav2308 : What do you mean by "Check if you have enabled the identity redistribution on that service connection "?
Kacper
10-28-2024 05:12 AM
Identity redistribution is same as user id redistribution
Also the commands which you executed
These need to be executed on the gateway by TAC
I would suggest you to open a case.with the TAC team
Also you can refer to this document for the identity redistribution
10-28-2024 08:25 AM
Thanks.
Yeah, I already know this document by heart 😉
I also have support case open for 2 weeks, but here I have better support than with TAC...
My question is one (if you have the Prisma):
Is only one SC user-id enough to get info about all users connected to all gateways globally?
Or if I have 3 SC in 3 sites, should I connect all 3 user-ids from all 3 sites with SC?
Kind Regards,
Kacper
Kacper
10-29-2024 08:50 AM
One service connection configured as user id is enough
for user id you need only two things
> agent
> collector
here your service connection will act as a collector, the main task of collector is collect the user-id
and so what I know is only one service connection is enough to configure.
I will check more about this and update you
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
