Redistribute User Mappings and Authentication Timestamps
Every firewall that enforces user-based policy requires
user mapping information. In a large-scale network, instead of configuring
all your firewalls to directly query the mapping information sources, you
can streamline resource usage by configuring some firewalls to collect
mapping information through redistribution. Redistribution also
enables the firewalls to enforce user-based policies when users
rely on local sources for authentication (such as regional directory
services) but need access to remote services and applications (such
as global data center applications).
You can redistribute user mapping information collected
through any method except Terminal Services (TS) agents. You cannot
Mapping or HIP match information.
you use Panorama and Dedicated Log Collectors to manage firewalls
and aggregate firewall logs, you can use Panorama to manage User-ID redistribution.
Leveraging Panorama and your distributed log collection infrastructure
is a simpler solution than creating extra connections between firewalls
to redistribute User-ID information.
If you Configure
Authentication Policy, your firewalls must also redistribute
Timestamps that are generated when users authenticate to
access applications and services. Firewalls use the timestamps to
evaluate the timeouts for Authentication policy rules. The timeouts
allow a user who successfully authenticates to later request services
and applications without authenticating again within the timeout
periods. Redistributing timestamps enables you to enforce consistent
timeouts across all the firewalls in your network.
Firewalls share user mappings and authentication timestamps as
part of the same redistribution flow; you don’t have to configure
redistribution for each information type separately.