User-ID Best Practices for Redistribution
Expand all | Collapse all
End-of-Life (EoL)
User-ID Best Practices for Redistribution
Learn the best ways for planning, deploying, and verifying
redistribution for User-ID information, along with other data types.
In a large-scale network, instead of configuring
all your firewalls to directly query the mapping information sources,
you can streamline resource usage by configuring firewalls to collect
mapping information that already exists on other firewalls through
redistribution.
Plan User-ID Best Practices for Redistribution Deployment
Plan the redistribution
architecture. Some factors to consider are:
Which firewalls will enforce policies for all data types and
which firewalls should receive a subset of data?
Which IP ranges require IP address-to-username mappings?
If you have an internal gateway that provides user mapping,
what other devices require that data? What function and role will
they have?
How can you minimize the number of hops required to aggregate
all the data? The maximum allowed number of hops for IP address-to-username
mappings is ten and the maximum allowed number of hops for username-to-tag
mappings and IP address-to-tag mappings is one.
How can you minimize the number of firewalls that query the
user mapping information sources? The fewer the number of querying
firewalls, the lower the processing load is on both the firewalls
and sources.
Determine the best option for your redistribution hub:
A dedicated virtual machine (VM)
is best for large-scale User-ID deployments. If you are only redistributing
user mappings, a VM-50 is sufficient. If you plan to also redistribute
IP address-to-tag mappings, we recommend using a VM-300 or higher
series.
Panorama is best for medium- to small-scale environments and
if you do not use syslog or server monitoring to collect user mappings.
Based on your network requirements, determine what type of
topology you want to use:
Hub-and-spoke for a single region
Hub-and-spoke for multiple regions
Hierarchical
Deploy Redistribution Using Best Practices for User-ID
Configure the
sources of the information you want to redistribute:
User-ID IP address-to-username
mappings (including Windows User-ID agents)
Configure which networks you want the agent or agents to include
in the data redistribution and which networks you want to exclude
from redistributing IP address-to-tag mappings or IP address-to-username
mappings.
Use the
Include/Exclude Networks list to
define the subnetworks that the redistribution agent includes or
excludes when it redistributes the mappings.
Configure which networks or resources receive specific data
types through redistribution.
Use either a VM-series firewall or Panorama to redistribute
data. Because Panorama can be either an agent or a client, use to
configure data redistribution on Panorama.
If a firewall that enforces policy needs mappings from both
remote and local users because it is also a GlobalProtect gateway
and a data center, enable bidirectional redistribution.
To ensure optimal resiliency, you should enable bidirectional
redistribution only within a region, not between regions.
Use Redistribution Post-Deployment Best Practices for User-ID