Redistribute User Mappings and Authentication Timestamps

Every firewall that enforces user-based policy requires user mapping information. In a large-scale network, instead of configuring all your firewalls to directly query the mapping information sources, you can streamline resource usage by configuring some firewalls to collect mapping information through redistribution. Redistribution also enables the firewalls to enforce user-based policies when users rely on local sources for authentication (such as regional directory services) but need access to remote services and applications (such as global data center applications).
You can redistribute user mapping information collected through any method except Terminal Services (TS) agents. You cannot redistribute Group Mapping or HIP match information.
If you use Panorama and Dedicated Log Collectors to manage firewalls and aggregate firewall logs, you can use Panorama to manage User-ID redistribution. Leveraging Panorama and your distributed log collection infrastructure is a simpler solution than creating extra connections between firewalls to redistribute User-ID information.
If you Configure Authentication Policy, your firewalls must also redistribute the Authentication Timestamps that are generated when users authenticate to access applications and services. Firewalls use the timestamps to evaluate the timeouts for Authentication policy rules. The timeouts allow a user who successfully authenticates to later request services and applications without authenticating again within the timeout periods. Redistributing timestamps enables you to enforce consistent timeouts across all the firewalls in your network.
Firewalls share user mappings and authentication timestamps as part of the same redistribution flow; you don’t have to configure redistribution for each information type separately.

Related Documentation