If you encounter some strange behavior with traceroute after you start implementing Zone Protection Profiles, please make sure to UNCHECK the "Discard ICMP embedded with error message" box as marked below. Remember, your trace packets are being sent with a TTL that is incrementing by 1. The router that decrements it to 0 responds with an error.
This first is the expected results of a normal traceroute. The second is the results WITH the box checked.
The PaloAlto is the second hop. Notice the one to Google DNS does answer. It is a valid packet with no error in the response.
Directing IT Support & Operations in K-12
Ever wonder what a (former) IT director for a ~25,000 student district does, ponders, or decides to write down?
Friday, March 11, 2016
Thursday, February 4, 2016
PaloAlto: How to Setup User-ID Information Exchange Between Firewalls
General Steps:
- Firewall that has valid user-ID Info
- Create a Redistribution Collector for the other firewalls to gather information. The collector is the node currently doing active User-ID mappings. The Collector will need a name and shared key. You need to document this information
- Select an interface and IP address to serve as the source of the redistribution. This will be the interface the other firewalls query. This can be done on a standard interface or a management interface.
- Firewalls that are requesting the User-ID Info
- Create an User-ID Agent that references the Collector above
- Ensure traffic on tcp 5007 is allowed from the remote FWs to the collector firewalls
Now with Pictures!
This is done on the firewalls already doing User-ID. They will become Redistribution Collectors.
Select the Device Tab, User-Identification Button. Select the User Mapping Tab. Click the gear (or green gear for those of you with Panorama)Inside of the window, Select the Redistribution Tab and fill it out. Remember or record Collector name and your key. Click ok when complete.
Your User Mapping Tab should now have your collector name
Ok, the collector is configured. Next up, the Agents who will use this collector. You have enabled them to talk over tcp port 5007 to the collector, right? Commit your changes for them to take affect.
On the remote FW firewalls:
On the Device Tab, User Identification select the User-ID Agents TabClick Add at the bottom to get the next screen. Fill out the information.
Fill out the info
- Name: You get to pick a name here. Does not have to match
- Host: The remote collectors IP address
- Port: 5007, no ifs and or butts. Just is. Its in the documentation.
- Collector Name: The exact name you entered in the 2nd screenshot
- Collector Pre-shared key: The shared key you recorded
- Confirm Collector Pre-Shared Key: really...type it again.
- Only check the Enabled Box.
- Ok
You may only have one entry. Commit to commit your changes once you are happy.
Verification:
On the Collector Agent Firewalls
- show user user-id-service status
- show user user-id-service client all
On the remote FWs
- show user user-id-agent state all
Anyhow, good luck!
Update: If you have an Active-Passive configuration and are distributing from your management interface on the collector, you cannot have both nodes configured on the collector agents firewalls.
Subscribe to:
Posts (Atom)