In a large-scale network, instead of configuring all
your firewalls to directly query the mapping information sources,
you can streamline resource usage by configuring some firewalls
to collect mapping information through redistribution.
You can redistribute user mapping information collected
through any method except Terminal Server (TS) agents. You cannot
Mapping or HIP match information.
If you use
Panorama to manage firewalls and aggregate firewall logs, you can
use Panorama to manage User-ID redistribution.
Leveraging Panorama is a simpler solution than creating extra connections
between firewalls to redistribute User-ID information.
If you Configure
Authentication Policy, your firewalls must also redistribute
Timestamps that are generated when users authenticate to access
applications and services. Firewalls use the timestamps to evaluate
the timeouts for Authentication policy rules. The timeouts allow
a user who successfully authenticates to later request services
and applications without authenticating again within the timeout
periods. Redistributing timestamps enables you to enforce consistent
timeouts across all the firewalls in your network.
Firewalls share data and authentication timestamps as part of
the same redistribution flow; you don’t have to configure redistribution
for each information type separately.