Redistributing identification information allows the Cloud Identity Engine to serve as a dynamic exchange point for network intelligence, extending its role beyond static directory synchronization. By centralizing the distribution of User-ID mappings, IP tags, and device context, the service replaces the need for complex, resource-intensive peer-to-peer connections between individual firewalls. This "hub-and-spoke" architecture enables your Next-Generation Firewalls, Panorama, and Prisma Access instances to share locally learned identity data—such as GlobalProtect logins or XML API updates—across the entire network fabric.

This redistribution is managed through User Context, which utilizes logical groupings called "segments" to control the flow of information. You can configure specific firewalls to publish data—including IP-to-User mappings, User Tags, and Quarantine lists—to the cloud, while other devices subscribe to these segments to receive and enforce policy based on that context. This capabilities is particularly valuable for high-scale environments, such as Virtual Desktop Infrastructure (VDI), where Terminal Server agents can publish IP-Port mappings directly to the cloud for efficient global distribution.

To implement this centralized redistribution, you must configure your network enforcement points to communicate with the service. The following workflows detail how to establish the Cloud Identity Engine as a Mapping Source on your firewalls and define the User Context segments that determine how this critical intelligence is shared.