User-ID Redistribution Using Panorama

One of the key benefits of the Palo Alto Networks firewall is that it can enforce policies and generate reports based on usernames instead of IP addresses. The challenge for large-scale networks is ensuring every firewall that enforces policies and generates reports has the IP address-to-username mappings for your entire user base. Additionally, every firewall that enforces Authentication Policy requires a complete, identical set of authentication timestamps for your user base. Whenever users authenticate to access services and applications, individual firewalls record the associated timestamps but don’t automatically share them with other firewalls to ensure consistency. User-ID™ solves these challenges for large-scale networks by enabling you to redistribute information (user mappings and timestamps). However, instead of setting up extra connections to redistribute the User-ID information between firewalls, you can leverage your Panorama and distributed log collection infrastructure to Redistribute User-ID Information to Managed Firewalls. The infrastructure has existing connections that enable you to redistribute User-ID information in layers, from firewalls to Log Collectors to Panorama. Panorama can then redistribute the information to the firewalls that enforce policies and generate reports for all your users.
Each firewall, Log Collector, or Panorama management server can receive User-ID information from up to 100 redistribution points. The redistribution points can be Windows-based User-ID agents or other firewalls, Log Collectors, and Panorama management servers. Panorama and Log Collectors as User-ID Redistribution Points illustrates a redistribution sequence where the firewalls perform user mapping by directly monitoring information sources such as directory servers and syslog senders. However, you can also use Windows-based User-ID agents to perform the mapping and redistribute the information to firewalls. Only the firewalls record authentication timestamps when user traffic matches Authentication policy rules.
You can redistribute user mappings collected through any method except Terminal Services (TS) agents. You cannot redistribute username-to-group mapping or HIP match information.
Panorama and Log Collectors as User-ID Redistribution Points
Panorama_User-ID_Timestamps_Redistribution.png

Related Documentation