This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Prisma Access Mobile Users - User-id data redistribution to on-prem NGFWs

Go to solution
VTQNetwork
L2 Linker

‎10-17-2024 07:17 AM - edited ‎10-17-2024 07:27 AM

Hi All,

 

I have a problem with user-id data redistribution from Prisma Access to on-prem (panorama).

I have 13 globalprotect gateways globally, I see the usernames in traffic logs for all gateways.

 

I redistribute user-id from prisma to on-prem panorama via service connection and then redistribute from panorama to on-prem firewalls.

 

Unfortunately, I have no user-id redistribution for 4 of 13 gateways in Panorama -> on-prem NGFWs, so user-based security policies does not work when user is connected to the "affected gateway".

 

Is it something I can fix on my side?

 

Kind Regards,

Kacper

0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
nikoolayy1
L6 Presenter

‎11-20-2024 12:50 AM

There is new a feature to select which SC is used for identity redistribution if you have several https://docs.paloaltonetworks.com/prisma-access/release-notes/5-0/prisma-access-about/new-features

View solution in original post

13 REPLIES 13

Go to solution
abhinav2308
L2 Linker

‎10-19-2024 06:05 AM

I have a questions
> Are those gateways [for which you are seeing the user ID] are connected to service connection?

Abhinav Srivastava
0 Likes Likes

Go to solution
abhinav2308
L2 Linker
In response to abhinav2308

‎10-19-2024 06:06 AM

A small correction
for which you are not seeing the user ID

Abhinav Srivastava
0 Likes Likes

Go to solution
VTQNetwork
L2 Linker
In response to abhinav2308

‎10-20-2024 11:13 PM

I have two service connections.

Panorama is connected behind one of them.

Working gateway IS in the same compute center as SC connecting Panorama.

 

Not working gateways is another SC location and locations without SC.

 

For the testing purpose, I’ve connected two user-ids (IP address specified for two SCs) to the Panorama (behind one of these two SC).

I see status connected, but it does not change the situation.

 

Kacper

 

 

Go to solution
abhinav2308
L2 Linker
In response to VTQNetwork

‎10-23-2024 01:37 AM

Check if you have enabled the identity redistribution on that service connection (where the non working gateways are connected)

Check if you have enabled these option for the SC

ip to user

Ip to tag

User to tag

Abhinav Srivastava

Go to solution
VTQNetwork
L2 Linker

‎10-25-2024 07:37 AM

OK, I've connected firewall in the site of another SC to sc-user-id for that location...

 

And it changes nothing. I see the user-id data for the same gateways as before, but the broken are still broken.

 

Escalating in TAC...

 

Kind Regards,

Kacper

0 Likes Likes

Go to solution
VTQNetwork
L2 Linker
In response to abhinav2308

‎10-25-2024 07:49 AM - edited ‎10-25-2024 07:53 AM

Users connected:

Gateway OK: 192.168.227.13

Gateway NOK: 192.168.229.46

 

User-id info:

 

admin@panorama> show user ip-user-mapping-mp all | match as.test
192.168.227.13 REDIST as.test@domain 10187 100.107.127.169

 

admin@firewall(active)> show user ip-user-mapping-mp all | match as.test
192.168.227.13 vsys1 REDIST domain\as.test 10466 100.107.127.169

 

@abhinav2308 : What do you mean by "Check if you have enabled the identity redistribution on that service connection "?

Kacper

 

 

Preview file
39 KB
0 Likes Likes

Go to solution
abhinav2308
L2 Linker

‎10-28-2024 05:12 AM

Identity redistribution is same as user id redistribution 

Also the commands which you executed 

These need to be executed on the gateway by TAC 

I would suggest you to open a case.with the TAC team 

Also you can refer to this document for the identity redistribution 

Abhinav Srivastava

Go to solution
VTQNetwork
L2 Linker

‎10-28-2024 08:25 AM

Thanks.

Yeah, I already know this document by heart 😉

I also have support case open for 2 weeks, but here I have better support than with TAC...

My question is one (if you have the Prisma):
Is only one SC user-id enough to get info about all users connected to all gateways globally?

Or if I have 3 SC in 3 sites, should I connect all 3 user-ids from all 3 sites with SC? 


Kind Regards,

Kacper

Kacper

 

0 Likes Likes

Go to solution
abhinav2308
L2 Linker
In response to VTQNetwork

‎10-29-2024 08:50 AM

One service connection configured as user id is enough 
 for user id you need only two things 

> agent
> collector
here your service connection will act as a collector, the main task of collector is collect the user-id 

and so what I know is only one service connection is enough to configure.

I will check more about this and update you

Abhinav Srivastava
0 Likes Likes

Go to solution
nikoolayy1
L6 Presenter

‎11-20-2024 12:50 AM

There is new a feature to select which SC is used for identity redistribution if you have several https://docs.paloaltonetworks.com/prisma-access/release-notes/5-0/prisma-access-about/new-features

Go to solution
VTQNetwork
L2 Linker
In response to nikoolayy1

‎11-21-2024 03:35 AM

Great news, thank you!

"By default, all of your service connections, in order of proximity, are used for identity redistribution. However, you may not know which specific service connections are being used for identity redistribution at a given moment. And, depending on the number of service connections you have and the number of User-ID agents you’ve configured, this method for identity redistribution can test the limits of your system resources. To solve this, we now give you the option to decide which service connections you want to use for identity redistribution."

 

The "proximity" in my case was in the 5000km radius 😉

With the new feature deployment I should be able to manage redistribution.

0 Likes Likes

Go to solution
VTQNetwork
L2 Linker
In response to abhinav2308

‎11-21-2024 03:38 AM

TAC helped me to solve it. I've had third SC defined, but not used. The lost user-id was being there. So the correct answer is - you MUST connect all SC user-ids even if you think you do not use it. Nobody knows the "proximity" definition.

I'll mark your answer with a link to manual as the solution. It was written "repeat with all"....

 

Thank you! 

0 Likes Likes
  • 2 accepted solutions
  • 902 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks