User-ID Best Practices for Redistribution

Learn the best ways for planning, deploying, and verifying redistribution for User-ID information, along with other data types.
In a large-scale network, instead of configuring all your firewalls to directly query the mapping information sources, you can streamline resource usage by configuring firewalls to collect mapping information that already exists on other firewalls through redistribution.

Plan User-ID Best Practices for Redistribution Deployment

  • Plan the redistribution architecture. Some factors to consider are:
    • Which firewalls will enforce policies for all data types (such as IP address-to-username mappings or device quarantine information) and which firewalls should receive a subset of data?
    • Which IP ranges require IP address-to-username mappings?
    • If you have an internal gateway that provides user mapping, what other devices require that data? What function and role will they have?
    • How can you minimize the number of hops required to aggregate all the data? The maximum allowed number of hops for IP address-to-username mappings is ten and the maximum allowed number of hops for username-to-tag mappings and IP address-to-tag mappings is one.
    • How can you minimize the number of firewalls that query the user mapping information sources? The fewer the number of querying firewalls, the lower the processing load is on both the firewalls and sources.
  • Determine the best option for your redistribution hub:
    • A dedicated VM-Series firewall is best for large-scale User-ID deployments. If you are only redistributing user mappings, a VM-50 is sufficient. If you plan to also redistribute IP address-to-tag mappings, we recommend using a VM-300 or higher series.
    • Panorama is best for medium- to small-scale environments and if you do not use syslog or server monitoring to collect user mappings.
  • Based on your network requirements, determine what type of topology you want to use:
    • Hub-and-spoke for a single region
    • Hub-and-spoke for multiple regions
    • Hierarchical

Deploy Redistribution Using Best Practices for User-ID

  • Configure the sources of the information you want to redistribute:
  • Configure which networks you want the agent or agents to include in the data redistribution and which networks you want to exclude from redistributing IP address-to-tag mappings or IP address-to-username mappings.
  • Use the Include/Exclude Networks list to define the subnetworks that the redistribution agent includes or excludes when it redistributes the mappings.
  • Configure which networks or resources receive specific data types through redistribution.
  • Enable Authentication with Custom Certificates for Redistribution to use a custom certificate for mutual authentication between the redistribution agents and the clients.
  • Use either a VM-Series firewall or Panorama to redistribute data. Because Panorama can be either an agent or a client, use
    Data Redistribution
    to configure data redistribution on Panorama.
  • If a firewall that enforces policy needs mappings from both remote and local users because it is also a GlobalProtect gateway and a data center, enable bidirectional redistribution.
  • To ensure optimal resiliency, you should enable bidirectional redistribution only within a region, not between regions.

Use Redistribution Post-Deployment Best Practices for User-ID

Recommended For You