End-of-Life (EoL)

Firewall Deployment for User-ID Redistribution

You can organize the redistribution sequence in layers, where each layer has one or more firewalls. In the bottom layer, PAN-OS integrated User-ID agents running on firewalls and Windows-based User-ID agents running on Windows servers perform the IP address-to-username mapping. Each higher layer has firewalls that receive the mapping information from up to 100 User-ID agents in the layer beneath it. The top-layer firewalls aggregate the mapping information from all layers. This deployment provides the option to configure global policies for all users (in top-layer firewalls) and region- or function-specific policies for a subset of users in the corresponding domains (in lower-layer firewalls).
Figure 1 shows a deployment with three layers of firewalls that redistribute mapping information from local information sources (directory servers, in this example) to regional offices and then to a global data center. The data center firewall that aggregates all the mapping information shares it with other data center firewalls so that they can all enforce global policy. Only the bottom layer firewalls use PAN-OS integrated User-ID agents and Windows-based User-ID agents to query the directory servers.
The information sources from which User-ID agents collect mapping information do not count towards the maximum of ten
in the sequence. However, Windows-based User-ID agents that forward mapping information to firewalls do count. Therefore, in this example, redistribution from the European region to all the data center firewalls requires only three hops, while redistribution from the North American region requires four hops. Also in this example, the top layer has two hops: the first to aggregate mapping information in one data center firewall and the second to share the information with other data center firewalls.

Recommended For You