Streamline resource usage by configuring firewalls to collect mapping information
In a large-scale network, instead of configuring all your firewalls directly to query
the mapping information sources, you can streamline resource usage by configuring
some firewalls to collect mapping information through redistribution. Data
redistribution also provides granularity, allowing you to redistribute only the
types of information you specify to only the devices you select. You can also filter
the IP user mappings or IP tag mappings using subnets and ranges to ensure the
firewalls collect only the mappings they need to enforce policy rules.
To redistribute the data, you can use the following architecture types:
Hub and spoke architecture for a single region:
To redistribute data between firewalls, use a hub and spoke architecture as a
best practice. In this configuration, a hub firewall collects the data from
sources such as Windows User-ID agents, syslog servers, Domain Controllers,
or other firewalls. Configure the redistribution client firewalls to collect
the data from the hub firewall.
Multi-Hub and spoke architecture for multiple regions:
If you have firewalls deployed in multiple regions and want to distribute the
data to the firewalls in all of these regions so that you can enforce policy
rules consistently regardless of where the user logs in, you can use a
multihub and spoke architecture for multiple regions.
To redistribute data, you can also use a hierarchical architecture. For
example, to redistribute data such as User-ID information, organize the
redistribution sequence in layers, where each layer has one or more
firewalls. In the bottom layer, PAN-OS integrated User-ID agents running on
firewalls and Windows-based User-ID agents running on Windows servers map IP
addresses to usernames. Each higher layer has firewalls that receive the
mapping information and authentication timestamps from up to 100
redistribution points in the layer beneath it. The top-layer firewalls
aggregate the mappings and timestamps from all layers. This deployment
provides the option to configure policy rules for all users in top-layer
firewalls and region- or function-specific policy rules for a subset of
users in the corresponding domains served by lower-layer firewalls.
When traffic isn’t being enforced as