Overview
In a multi-virtual systems (multi-vsys) environment, Palo Alto Networks' PAN-OS allows for the designation of a User-ID Hub. This hub centralizes the collection and distribution of user-to-IP and user-to-group mappings, ensuring consistent user identification across all virtual systems. By consolidating User-ID sources, the User-ID Hub simplifies configuration, reduces redundancy, and enhances policy enforcement accuracy.
Mermaid Sequence Diagram: User-ID Hub Configuration Workflow
sequenceDiagram
participant Admin
participant Firewall
participant Vsys1
participant Vsys2
Admin->>Firewall: Enable Multi-VSYS Capability
Firewall->>Admin: Confirm Enablement
Admin->>Vsys1: Configure User-ID Sources
Admin->>Vsys1: Designate as User-ID Hub
Vsys1->>Vsys2: Share User-ID Mappings
Vsys2-->>Vsys1: Request Mapping Information
Mermaid Sequence Diagram: Traffic Flow Utilizing User-ID Hub
sequenceDiagram
participant User
participant Vsys2
participant Vsys1 (Hub)
participant Resource
User->>Vsys2: Initiate Traffic
Vsys2->>Vsys2: Check Local User-ID Mapping
alt Mapping Not Found
Vsys2->>Vsys1 (Hub): Request User-ID Mapping
Vsys1 (Hub)-->>Vsys2: Provide User-ID Mapping
end
Vsys2->>Vsys2: Apply Security Policies
Vsys2->>Resource: Forward Traffic