User-ID Redistribution Methods

Overview

User-ID redistribution allows Palo Alto Networks firewalls to share user-to-IP mappings and other identity information across multiple devices. This is essential in large-scale or distributed environments to ensure consistent policy enforcement based on user identity.

Key Components

Redistribution Agent: A firewall, Panorama, or Windows-based User-ID agent that collects and redistributes user mapping information.
Redistribution Client: A firewall that receives user mapping information from a redistribution agent.

Supported Data Types for Redistribution

IP address-to-username mappings (User-ID)
IP address-to-tag mappings (Dynamic Address Groups)
Username-to-tag mappings (Dynamic User Groups)
Host Information Profile (HIP) data from GlobalProtect
Device quarantine information

Redistribution Architectures

1. Hub-and-Spoke

A central firewall (hub) collects user mapping information and redistributes it to multiple client firewalls (spokes).

graph TD A[User-ID Sources] --> B[Hub Firewall] B --> C[Client Firewall 1] B --> D[Client Firewall 2] B --> E[Client Firewall 3]

2. Multi-Hub

Multiple regional hubs collect and redistribute user mapping information to local client firewalls, and optionally share data between hubs.

graph TD A[User-ID Sources Region 1] --> B[Hub Firewall 1] F[User-ID Sources Region 2] --> G[Hub Firewall 2] B --> C[Client Firewall 1] B --> D[Client Firewall 2] G --> H[Client Firewall 3] G --> I[Client Firewall 4] B --> G

3. Hierarchical

Firewalls are organized in layers, where lower-layer firewalls collect user mapping information and pass it up to higher-layer firewalls.

graph TD A[Branch Firewall 1] --> B[Regional Firewall] C[Branch Firewall 2] --> B B --> D[Central Firewall]

Configuration Steps

Configure Redistribution Agent:
- On the agent firewall, navigate to Device > User Identification > User Mapping or Device > Data Redistribution > Collector Settings .
- Enable redistribution and specify a Collector Name and Pre-Shared Key.
Configure Redistribution Client:
- On the client firewall, navigate to Device > User Identification > User-ID Agents or Device > Data Redistribution > Agents .
- Add the agent's details, including Host, Port, Collector Name, and Pre-Shared Key.
Include/Exclude Networks:
- Define which networks to include or exclude from redistribution to optimize performance and security.
Service Routes:
- Configure service routes for User-ID to ensure proper communication between agents and clients.
Security Profiles:
- Assign Interface Management Profiles with User-ID enabled to interfaces used for redistribution.

Best Practices

Use a dedicated VM-Series firewall or Panorama as a central redistribution point in large environments.
Limit the number of redistribution hops to reduce latency and complexity (maximum of 10 hops for user mappings).
Implement redundancy by configuring multiple redistribution agents.
Regularly monitor and verify the status of redistribution agents and clients.