How to Configure and Verify User-ID Collector in PAN-OS

Overview

Palo Alto Networks firewall can be configured as a collector and redistribute user mapping information to other Palo Alto Networks firewalls on your network. This document describes how to configure a redistribution firewall and verify the configuration from the CLI.

Note:

• Only the user mapping information collected by the agentless User-ID (PAN-OS User Mapping) feature will be redistributed to the other firewalls.
• If you have multiple firewalls that need to pull mappings from collector, all of them should specify the collector name in the user id agent tab.
• The collector will not redistribute the mappings from terminal server - this is expected behavior.

Steps 

1. (Pre 10.0) Navigate to Device > User Identification 
2. (Pre 10.0) In the User Mapping tab, click the edit icon
   
3. (Pre 10.0) Configure the collector from the Redistribution tab by entering a Collector Name and a Pre-Shared Key. This information is used by the firewalls that will pull user mapping information.
   
4. (Pre 10.0)Check for the Collector Name on the Device > User Identification > User Mapping tab. The image below also shows that user mapping has been configured for an Active Directory server.
   
5. (Pos 10.0) Navigate to Device > Data Redistribution
6. (Pre 10.0) In the Collector Settings tab, click the gear icon of the Data Redistribution Agent Setup.
    
7. (Post 10.0) Configure the collector by entering a Collector Name and a Pre-Shared Key. This information is used by the firewalls that will pull user mapping information.
    
8. (Post 10.0) Check for the Collector Name on the Device > Data Redistribution > Collector Settings tab.
    
9. Ensure the User-ID service is enabled on a Management Interface profile
10. Navigate to Network > Network Profiles > Interface Mgmt
11. Open the profile applied to the appropriate interface or add a new profile
12. Enable the User-ID Service in the profile

Note: If you are using a Dataplane interface, configure a service route for that interface on the UID Agent selection.

        9. Commit the changes. This completes the configuration of the collector.

Configure a Palo Alto Networks firewall to retrieve the IP-user mappings from the collector.

1. (Pre 10.0) Navigate to the User-ID Agents tab at Device > User Identification
2. (Pre 10.0)Click Add and enter values into the fields. The Collector Name and Pre-Shared Key fields should be the same as on the collector.
   
3. (Post 10.0) Navigate to the User-ID Agents tab at Device > Data Redistribution > Agents
4. (Post 10.0) Click Add and enter values into the fields. The Collector Name and the Pre-Shared Key fields should the the same as on the collector.
    
5. The firewall will connect to the collector on port 5007. This cannot be modified.
6. Commit the changes. The user mappings from Collector will appear on the firewall.

Verification

The following CLI commands can be used to verify that the collector service is up and the user mapping information is received on the other Palo Alto Networks firewalls.

1. On the collector, display the status of the User-ID service

   > show user user-id-service status 

   
2. Display the clients/firewalls that are connected to the collector

   > show user user-id-service client all

   
3. Display the IP-user mapping on the collector

   > show user ip-user-mapping all

   
4. On the firewall that receives information from the collector, display the IP-user mapping

   > show user ip-user-mapping all

   

See also

• User-ID Best Practices - PAN-OS
• The collector will redistribute user-ip mappings learned through GlobalProtect.GlobalProtect Users Appear as Coming From User-ID Agent in IP-User Mapping

owner: sdarapuneni