Identity
Configure a Redistribution Profile in Strata Cloud Manager
Table of Contents
Configure a Redistribution Profile in Strata Cloud Manager
Learn about configuring Identity Redistribution Profiles in SCM.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
To enable consistent security policy enforcement across your Next-Generation
Firewalls, you can set up identity redistribution in Strata Cloud Manager. This
utilizes the Cloud Identity Engine's User Context feature, which replaces complex,
resource-intensive peer-to-peer User-ID redistribution meshes with a highly scalable
"hub-and-spoke" model.
By creating logical groupings called "segments," you can granularly control how your
enforcement points publish and subscribe to dynamic network intelligence, such as
IP-to-user mappings, user tags, and quarantine lists. To distribute mapping data
across your network, you must configure publishing segments (devices that send
locally learned data to the cloud) and subscribed segments (devices that receive
this data from the cloud).
When you assign an NGFW to a publishing segment, you can specify exactly
which types of locally learned identity context it contributes to the Cloud Identity
Engine. An NGFW can contribute each data type to only one segment.
The receiving data types are exactly the same as the contributing data
types. When an NGFW is placed in a subscribed segment, it receives the data types
published by the contributing firewalls.
| Data Types | Description |
|---|---|
|
IP User Mappings
|
Maps an IP address to a specific username. This
information is gathered from various sources, including
GlobalProtect, Authentication Portals, Syslog, XML APIs, XFF
Headers, and Server Monitoring.
|
|
IP Tag Mappings
|
Maps an IP address to a network tag, which enables you to enforce
security rules using Dynamic Address Groups.
|
|
User Tag Mappings
|
Maps a tag to a user, which is used for enforcing security rules
based on user attributes via Dynamic User Groups.
|
|
IP Port Mappings
|
Maps an IP address to the specific port range allocated to a
Windows-based terminal server user. This data is collected by
the Terminal Server agent and is critical for identifying
individual users in high-scale multi-user environments, such as
Virtual Desktop Infrastructure (VDI).
|
|
Quarantine List
|
Lists devices that have been placed in quarantine by
GlobalProtect or Cortex XDR, allowing you to quickly block
access for compromised or non-compliant devices.
|
- Log in to Strata Cloud Manager.Navigate to and set the Configuration Scope to the NGFW or NGFW Folder where you want to redistribute user context.Add Redistribution Profile.
- Give the profile a descriptive Name.(Optional)Add a Description to help other administrators easily identify the purpose and scope of this redistribution profile.Copy and paste the Segment ID from Cloud Identity Engine into the field.Set the Contributing Data Type: IP User, IP Tag, User Tag, IP Port User, Quarantine List.Set the Receiving Data Type: IP User, IP Tag, User Tag, IP Port User, Quarantine List.Save.Push Config.
