User-ID Redistribution Enhancement
You can now relay user mapping information from one firewall to another in a sequence of up to ten firewalls instead of only two. This increase in the relay sequence enables you to redistribute mapping information in a large-scale network that has hundreds of user identification sources or that has users who rely on local sources for authentication (such as regional directory services) but who require access to remote resources (such as global data center applications). Redistributing mapping information also reduces the resources that firewalls and information sources use because fewer firewalls query the sources directly.
Figure: User-ID-Redistribution shows how you can organize the redistribution sequence in layers, where each layer has one or more firewalls. In this example, bottom-layer firewalls in local offices redistribute mapping information to middle-layer firewalls in regional offices, which redistribute to one top-layer firewall in a global data center. The data center firewall redistributes the mapping information to other data center firewalls so that they can enforce global policies for all users.
Figure: User-ID-Redistribution
Configure User-ID Redistribution
Plan the redistribution architecture. Decide which User-ID agents and methods to use for user mapping (IP addresses to usernames). You cannot redistribute user mapping information that Terminal Services (TS) agents collect. You also cannot redistribute group mapping information. Determine the most efficient firewall deployment for User-ID redistribution.
Configure User-ID agents to perform user mapping. Configure user mapping using PAN-OS Integrated User-ID agents. Configure user mapping using Windows-based User-ID Agents.
Configure the firewalls to receive and redistribute mapping information. Enable each bottom-layer firewall to forward mapping information to one or more firewalls in the layer directly above. Enable each firewall in the middle layers to receive mapping information from the layer below and forward that information to the layer above. You must also perform this task for a firewall (in any layer) that redistributes mapping information to other firewalls in the same layer. For example, Figure: User-ID-Redistribution shows one data center firewall that redistributes to other data center firewalls. Figure: User-ID-Redistribution shows only one middle layer of firewalls but you can deploy as many layers as the redistribution limit of ten hops allows. Enable each top-layer firewall to receive mapping information from all other layers. You must also perform this task for any firewall that is an end point in the redistribution sequence within a layer. For example, Figure: User-ID-Redistribution shows two data center firewalls that receive mapping information from another data center firewall. Verify that the top-layer firewalls are aggregating mapping information from all other layers.

Related Documentation