One of the key benefits of the Palo Alto Networks firewall
is that it can enforce policies and generate reports based on usernames
instead of IP addresses. The challenge for large-scale networks
is ensuring every firewall that enforces policies and generates
reports has the IP address-to-username mappings for your entire
user base. Additionally, every firewall that enforces Authentication Policy requires a complete,
identical set of authentication timestamps for your user base. Whenever
users authenticate to access services and applications, individual
firewalls record the associated timestamps but don’t automatically
share them with other firewalls to ensure consistency. User-ID™ solves
these challenges for large-scale networks by enabling you to redistribute
information (user mappings and timestamps). However, instead of
setting up extra connections to redistribute the User-ID information
between firewalls, you can leverage your Panorama and distributed
log collection infrastructure to Redistribute
User-ID Information to Managed Firewalls. The infrastructure
has existing connections that enable you to redistribute User-ID
information in layers, from firewalls to Log Collectors to Panorama.
Panorama can then redistribute the information to the firewalls
that enforce policies and generate reports for all your users.
Each firewall, Log Collector, or Panorama management server can
receive User-ID information from up to 100 redistribution points.
The redistribution points can be Windows-based User-ID agents or
other firewalls, Log Collectors, and Panorama management servers. Panorama
and Log Collectors as User-ID Redistribution Points illustrates
a redistribution sequence where the firewalls perform user mapping
by directly monitoring information sources such as directory servers
and syslog senders. However, you can also use Windows-based User-ID
agents to perform the mapping and redistribute the information to
firewalls. Only the firewalls record authentication timestamps when
user traffic matches Authentication policy rules.
You can redistribute user mappings collected through any
method except Terminal Services (TS) agents. You cannot redistribute
username-to-group mapping or HIP match information.