PAN-OS: User-ID Data Redistribution

What is User-ID Data Redistribution?

User-ID Data Redistribution refers to the mechanisms within PAN-OS for sharing IP address-to-username mappings learned by one component (like a User-ID Agent or Panorama) with other PAN-OS devices (firewalls or other agents). The goal is to ensure that multiple enforcement points have consistent and up-to-date User-ID information without requiring each device to independently query all the original mapping sources.

This is essential in environments with multiple firewalls, geographically distributed locations, or centralized management scenarios.

Why Use User-ID Redistribution?

Mechanisms for Redistribution

PAN-OS supports several ways to share/redistribute User-ID mappings:

  1. Panorama as Redistributor (Recommended for Managed Devices):

    • How it Works: Panorama is configured to collect User-ID mappings from one or more sources (Windows User-ID Agents, PAN-OS Integrated Agents on firewalls configured to forward to Panorama, XML API, etc.). Panorama consolidates this information and then pushes the mapping table down to its managed firewalls as part of the User-ID configuration updates.
    • Configuration:
      • On Panorama: Configure User-ID Agents ( Panorama > Collector Groups > [Group] > Agent ) or configure Panorama itself to collect mappings (if acting as an agent). Enable redistribution within the User-ID settings ( Panorama > User Identification > Setup or similar paths depending on version/context).
      • On Managed Firewalls: Configure User-ID settings ( Device > User Identification > Setup ) to retrieve mappings from Panorama . Ensure they are *not* also configured to pull directly from the same Agents that Panorama is using, to avoid conflicts.
    • Benefit: Highly scalable, centralized control, simplifies firewall configuration. 
                graph LR
                subgraph Sources
                    DC1[Domain Controller 1];
                    DC2[Domain Controller 2];
                    API[XML API Source];
                end
                subgraph Agents
                    Agent1[Windows Agent 1];
                    FW_Agent[Firewall w/
    Integrated Agent];
                end
                subgraph Management
                    P[Panorama
    Consolidates &
    Redistributes    ];
                end
                 subgraph Enforcement
                    FW1[Managed Firewall 1];
                    FW2[Managed Firewall 2];
                end

                DC1 -- Monitors --> Agent1;
                DC2 -- Monitors --> FW_Agent;
                API -- Sends --> Agent1;
                Agent1 -- Pushes Mappings --> P;
                FW_Agent -- Pushes Mappings --> P;
                P -- Redistributes Mappings --> FW1;
                P -- Redistributes Mappings --> FW2;

                style P fill:#eaf2f8,stroke:#aed6f1,stroke-width:2px
    Panorama Redistributing User-ID Mappings.

  2. User-ID Agent (Windows or PAN-OS Integrated) Push to Firewalls:

    • How it Works: A Windows User-ID Agent or a firewall configured with the PAN-OS Integrated Agent collects mappings and is configured to directly push those mappings to multiple specific firewalls .
    • Configuration:
      • On the Agent (Windows software or PAN-OS Integrated Agent config): Define the list of firewalls (by IP address) that should receive mappings.
      • On the receiving Firewalls: Configure them under Device > User Identification > User-ID Agents to accept mappings from the specific Agent IP address(es).
    • Benefit: Useful when Panorama is not used or when specific agents need to feed specific groups of firewalls directly.
    • Drawback: Less centralized than using Panorama; requires configuring firewall lists on each agent.

  3. Firewall High Availability (HA) Sync:

    • How it Works: In an HA pair, User-ID mappings (along with session information) are automatically synchronized between the active and passive peers.
    • Configuration: Part of the standard HA configuration and synchronization settings. No specific "redistribution" configuration is typically needed for this mechanism.
    • Benefit: Ensures seamless policy enforcement during an HA failover.

  4. User-ID Agent to User-ID Agent Forwarding (Legacy/Less Common):

    • How it Works: One Windows User-ID Agent could be configured to forward its collected mappings to another Windows User-ID Agent, creating a hierarchy.
    • Configuration: Done within the Windows User-ID Agent software settings.
    • Drawback: Adds complexity; largely superseded by Panorama redistribution for large environments.

Configuration Highlights (Panorama Redistribution Example)

Configuring Panorama as the central redistributor is a common best practice:

  1. Configure User-ID Sources on Panorama:
    • Define connections to Windows User-ID Agents ( Panorama > Collector Groups > ... > Agent ).
    • OR configure Panorama itself to act as an integrated agent monitoring DCs ( Panorama > User Identification > User Mapping > Server Monitoring - requires Panorama management interface connectivity to DCs).
    • Configure Group Mapping on Panorama ( Panorama > User Identification > Group Mapping Settings ).
  2. Enable Redistribution on Panorama:
    • Ensure User-ID redistribution settings within Panorama are configured to allow sending mappings to managed devices (often enabled by default or within setup wizards).
    • Panorama > User Identification > Setup > ??? (Exact path may vary slightly by PAN-OS/Panorama version - check relevant User-ID settings).
  3. Configure Firewalls to Use Panorama:
    • Push configuration via Templates/Template Stacks or configure directly on firewalls ( Device > User Identification > Setup ).
    • Ensure the firewall's User-ID configuration points to Panorama as the source for mappings.
    • Crucially, REMOVE any direct connections from the firewall to the User-ID Agents that Panorama is already monitoring ( Device > User Identification > User-ID Agents should be empty or point only to agents *not* monitored by Panorama if using a hybrid approach).
  4. Commit changes to Panorama and Push to devices.

Best Practices

Caveats and Gotchas

PCNSE Exam Focus

For the PCNSE exam, understand:

User-ID Redistribution Quiz

1. What is the main goal of User-ID Data Redistribution in a multi-firewall environment?

Redistribution allows mappings collected by one central point (like Panorama or an agent) to be shared with multiple firewalls, ensuring consistency and reducing load on source systems like Domain Controllers.

2. In a large environment managed by Panorama, what is the recommended best practice for distributing User-ID mappings to managed firewalls?

Using Panorama as a central User-ID broker and redistributor is the most scalable and manageable approach for environments with multiple firewalls under Panorama management.

3. If Panorama is configured to redistribute User-ID mappings to managed firewalls, what configuration should typically be REMOVED from the managed firewalls?

To avoid conflicts and ensure Panorama is the single source of truth, firewalls should be configured to get mappings *from* Panorama and should NOT be configured to *also* connect directly to the same User-ID agents that Panorama is already querying.

4. Which component typically initiates the *push* of User-ID mappings in a redistribution scenario (excluding HA sync)?

The User-ID Agent (Windows or Integrated) or Panorama actively pushes the collected mappings out to the firewalls configured to receive them. Firewalls listen for these updates.

5. What is the default TCP port used for communication between a Windows User-ID Agent and a PAN-OS firewall/Panorama for mapping redistribution?

By default, the Windows User-ID Agent communicates with firewalls and Panorama using TCP port 5007. Firewall rules must allow this traffic.

6. How are User-ID mappings typically kept consistent between firewalls in an Active/Passive High Availability (HA) pair?

User-ID mappings are part of the runtime state synchronized between HA peers over the dedicated HA control and data links, ensuring consistency for failover without manual redistribution configuration between the peers.

7. Can a firewall running the PAN-OS Integrated User-ID Agent redistribute mappings to other firewalls?

A firewall using the integrated agent can act like the Windows agent in terms of redistribution; you can configure it to push its learned mappings to other specified firewall management IP addresses.

8. What is a potential consequence of network latency between Panorama (acting as redistributor) and a managed firewall?

Redistribution relies on timely updates. High latency or network interruptions can delay the firewall receiving the latest mappings from Panorama, potentially causing policies to be enforced based on outdated information.

9. Where on a receiving firewall do you configure it to accept User-ID mappings directly from a specific Windows User-ID Agent?

You configure the firewall to trust and connect to specific User-ID Agent servers under `Device > User Identification > User-ID Agents`. This tells the firewall which agent(s) are allowed to push mappings to it.

10. A firewall is managed by Panorama, and Panorama is configured to collect User-ID data from Agent-1. To ensure the firewall uses these mappings correctly, what should typically be configured on the firewall itself regarding Agent-1?

When using Panorama redistribution, the firewall should be configured to get its mappings solely from Panorama. Configuring a direct connection to the same agent that Panorama uses would create a conflicting source and defeat the purpose of centralization.

References