Plan the redistribution architecture.
Some factors to consider are:
Which firewalls will
enforce policies for all users and which firewalls will enforce
region- or function-specific policies for a subset of users?
How many hops does the redistribution sequence require to
aggregate all User-ID information? The maximum allowed number of
hops is ten.
How can you minimize the number of firewalls that query the
user mapping information sources? The fewer the number of querying
firewalls, the lower the processing load is on both the firewalls
and sources.
Perform the following
steps on the firewalls in the User-ID redistribution sequence.
Configure the firewall to redistribute User-ID
information.
Skip this step if the firewall receives but does not redistribute
User-ID information.
Select
Device
User Identification
User Mapping
.
(
Firewalls with multiple virtual systems only
)
Select the
Location
. You must configure the
User-ID settings for each virtual system.
You can redistribute information among
virtual systems on different firewalls or on the same firewall.
In both cases, each virtual system counts as one hop in the redistribution sequence.
Edit the Palo Alto Networks User-ID Agent Setup and
select
Redistribution
.
Enter a
Collector Name
and
Pre-Shared
Key
to identify this firewall or virtual system as a
User-ID agent.
Click
OK
to save your changes.
Configure the service route that the firewall uses to
query other firewalls for User-ID information.
Skip this step if the firewall receives user mapping information
from Windows-based User-ID agents or directly from the information
sources (such as directory servers) instead of from other firewalls.
This
example output shows the authentication timestamp for one response
to an authentication challenge (factor). For Authentication policy
rules that use Multi-Factor
Authentication (MFA), the output shows multiple Authentication
Timestamps.