Palo Alto Networks Knowledgebase: How to Configure and Verify User-ID Collector in PAN-OS
How to Configure and Verify User-ID Collector in PAN-OS
Created On 08/05/19 19:23 PM - Last Updated 08/05/19 19:48 PM
Palo Alto Networks firewall can be configured as a collector and redistribute user mapping information to other Palo Alto Networks firewalls on your network. This document describes how to configure a redistribution firewall and verify the configuration from the CLI.
Only the user mapping information collected by the agentless User-ID (PAN-OS User Mapping) feature will be redistributed to the other firewalls.
If you have multiple firewalls that need to pull mappings from collector, all of them should specify the collector name in the user id agent tab.
The collector will not redistribute the mappings from terminal server - this is expected behavior.
Navigate to Device > User Identification
In the User Mapping tab, click the edit icon
Configure the collector from the Redistribution tab by entering a Collector Name and a Pre-Shared Key. This information is used by the firewalls that will pull user mapping information.
Check for the Collector Name on the Device > User Identification > User Mapping tab. The image below also shows that user mapping has been configured for an Active Directory server.
Ensure the User-ID service is enabled on a Management Interface profile
Navigate to Network > Network Profiles > Interface Mgmt
Open the profile applied to the appropriate interface or add a new profile
Enable the User-ID Service in the profile
Note: If you are using a Dataplane interface, configure a service route for that interface on the UID Agent selection.
9. Commit the changes. This completes the configuration of the collector.
Configure a Palo Alto Networks firewall to retrieve the IP-user mappings from the collector.
Navigate to the User-ID Agents tab at Device > User Identification
Click Add and enter values into the fields. The Collector Name and Pre-Shared Key fields should be the same as on the collector.
The firewall will connect to collector on port 5007. This cannot be modified.
Commit the changes. The user mappings from Collector will appear on the firewall.
The following CLI commands can be used to verify that the collector service is up and the user mapping information is received on the other Palo Alto Networks firewalls.
On the collector, display the status of the User-ID service
> show user user-id-service status
Display the clients/firewalls that are connected to the collector
> show user user-id-service client all
Display the IP-user mapping on the collector
> show user ip-user-mapping all
On the firewall which receives information from the collector, display the IP-user mapping