PAN-OS: Sharing User-ID Mappings Across Virtual Systems (User-ID Hub)

The Challenge in Multi-VSYS Environments

When a single Palo Alto Networks firewall is configured with multiple virtual systems (vsys), each vsys typically operates with its own independent configuration context, including its own User-ID mappings. Without a sharing mechanism, this means:

Each vsys might need its own configuration to monitor the same Domain Controllers or connect to the same User-ID Agent(s).
Each vsys maintains its own separate IP-to-User and User-to-Group mapping tables.
If user traffic traverses multiple vsys (e.g., based on routing between internal segments managed by different vsys), User-ID information might be lost at vsys boundaries if the destination vsys hasn't independently learned the mapping.
This leads to configuration duplication, increased load on directory servers (multiple vsys polling), and potentially inconsistent policy enforcement.

The Solution: User-ID Hub

Concept

PAN-OS provides a mechanism to centralize User-ID mapping collection and distribution within a multi-vsys firewall. This involves designating one specific virtual system as the User-ID Hub .

The User-ID Hub vsys becomes the single point of configuration for User-ID sources (Server Monitoring, Group Mapping, User-ID Agent connections, XML API listeners, etc.).
The Hub vsys collects and maintains the master IP-to-User and/or User-to-Group mapping tables.
Other virtual systems ("spoke" vsys) on the same firewall can be configured to query the Hub vsys when they need mapping information for policy enforcement or logging.

Mapping Types Shared

You can choose to share one or both types of mappings from the Hub:

IP User Mapping: Shares the IP address-to-username mappings.
User Group Mapping: Shares the username-to-group membership mappings.

You must select at least one mapping type to enable the Hub functionality.

Lookup Precedence

If a spoke vsys needs mapping information for a user/IP:

It first checks its own local mapping table (if any mappings were learned directly on that vsys).
If no local mapping is found, it then queries the designated User-ID Hub vsys.
If a mapping is found on the Hub, that mapping is used.
If no mapping is found locally or on the Hub, the user/group remains unknown for policy purposes on that spoke vsys.

Conclusion: Local mappings learned directly by a spoke vsys always take precedence over mappings shared from the Hub.

Benefits of Using a User-ID Hub

Simplified Configuration: Configure User-ID sources (Server Monitoring, Group Mapping, Agent connections) only once on the Hub vsys instead of duplicating the configuration across multiple vsys.
Consistency: Ensures all vsys utilize the same, up-to-date mapping information derived from a central collection point.
Resource Optimization: Reduces the load on directory servers (only the Hub vsys polls them) and potentially reduces management plane load on spoke vsys (as they query the hub instead of performing active collection).
Seamless Multi-VSYS Policy: Allows user-based policies to function correctly even when traffic traverses different virtual systems, as mapping information can be retrieved from the Hub.

Configuration Steps

Choose the Hub Virtual System:

Select one existing vsys to act as the central User-ID Hub. This vsys should ideally have reliable network connectivity to your User-ID sources (DCs, LDAP servers, User-ID Agents).
Enable Hub Functionality:
- GUI Path: Device > Virtual Systems
- Select the chosen Hub vsys and click Edit .
- Navigate to the Resource tab.
- Check the box `Make this vsys a User-ID data hub` .
- Click `Yes` to confirm the informational message.
- Under `Mapping Type` , select which mappings the hub will share:
  - IP User Mapping
  - User Group Mapping
  - (You must select at least one).
- Click OK.
Consolidate User-ID Source Configuration onto the Hub:
- CRITICAL STEP: The Hub vsys must be configured to actually *collect* the mappings it intends to share.
- Migrate or configure all necessary User-ID source settings exclusively on the **Hub vsys**:
  - Server Monitoring configurations ( Device > User Identification > User Mapping > Server Monitoring )
  - Group Mapping Settings & LDAP Server Profiles ( Device > User Identification > Group Mapping Settings & Device > Server Profiles > LDAP )
  - User-ID Agent connections ( Device > User Identification > User-ID Agents )
  - Syslog Parse Profiles / XML API configurations if used.
Remove Duplicate Configurations from Spoke VSYS:
- CRITICAL STEP: To gain the benefits of centralization and prevent conflicts/unnecessary load, remove the now-redundant User-ID source configurations (Server Monitoring, Group Mapping, Agent connections) from all *other* virtual systems ("spoke" vsys).
- The spoke vsys will rely on querying the hub.
Commit Changes:

Commit the configuration on the firewall.

Ensure firewall rules and potentially Service Routes allow the necessary communication between the Hub vsys's management interface (or specified service route interface) and the directory servers/User-ID agents.

Verification

Use CLI commands to verify the hub configuration and mapping distribution:

show user user-id-agent statistics : Shows which vsys is configured as the hub.
show user ip-user-mapping all virtual-system : Shows IP-to-User mappings available on a specific spoke vsys (will include mappings learned from the hub if local mapping doesn't exist).
show user group list virtual-system : Shows groups available for policy on a spoke vsys (sourced from the hub if configured).
show user group name " " virtual-system : Shows members of a specific group as known by the spoke vsys (retrieved from hub).
show user group-mapping state all virtual-system : Checks the group mapping connection status *on the hub*.

Caveats and Gotchas

Terminal Server Agent Mappings Not Shared: IP address-and-port-to-username mappings collected by a User-ID Agent installed directly on a Terminal Server (TS Agent) are *not* shared via the User-ID Hub mechanism. These mappings must be configured/collected locally on the vsys handling the Terminal Server traffic.
Hub Performance: The designated Hub vsys's management plane takes on the load of collecting all mappings. Ensure the firewall model and the chosen Hub vsys have sufficient resources, especially in large environments.
Configuration Consolidation is Manual: Enabling the hub feature doesn't automatically move configurations. You *must* manually consolidate the User-ID source settings onto the hub and remove them from spokes.
Local Precedence: Remember that mappings learned directly on a spoke vsys (e.g., via Captive Portal or GP on that vsys) will override mappings for the same IP/user received from the hub.
Inter-VSYS Communication: The firewall handles the internal querying between spoke and hub vsys; no specific inter-vsys routing configuration is typically needed for the sharing mechanism itself.

Best Practices

Consolidate Sources: Fully migrate User-ID source configurations (Server Monitoring, Group Mapping, Agent connections) to the designated Hub vsys for operational simplicity.
Choose Hub Wisely: Select a vsys with adequate management plane resources and reliable network connectivity to directory services/agents.
Monitor Hub Resources: Keep an eye on the CPU/memory utilization of the Hub vsys management plane after enabling the feature.
Consistent Username Format: Ensure primary/alternate username attributes are configured consistently on the Hub vsys's Group Mapping settings to match usernames received from various sources across all vsys.
Clean Up Spoke Configs: Diligently remove User-ID source configurations from spoke vsys after consolidating them onto the Hub.

PCNSE Exam Focus

For the PCNSE exam, regarding sharing User-ID across vsys:

Understand the problem solved: Reducing configuration duplication and inconsistency in multi-vsys environments.
Know the solution: Designating one vsys as a User-ID Hub .
Identify the configuration location: Device > Virtual Systems > [vsys] > Resource tab .
Know the types of mappings that can be shared: IP-User and User-Group .
Understand the need to consolidate User-ID source configurations (Server Monitoring, Group Mapping, Agent connections) onto the Hub vsys.
Recognize the lookup order: Local mappings take precedence over Hub mappings.
Be aware of the limitation regarding Terminal Server Agent mappings not being shared.
Know basic CLI verification commands involving the `virtual-system` keyword.

PAN-OS: Sharing User-ID Mappings Across Virtual Systems (User-ID Hub)

The Challenge in Multi-VSYS Environments

The Solution: User-ID Hub

Concept

Mapping Types Shared

Lookup Precedence

Benefits of Using a User-ID Hub

Configuration Steps

Choose the Hub Virtual System:

Enable Hub Functionality:

Consolidate User-ID Source Configuration onto the Hub:

Remove Duplicate Configurations from Spoke VSYS:

Commit Changes:

Verification

Caveats and Gotchas

Best Practices

PCNSE Exam Focus

User-ID Hub (Multi-VSYS Sharing) Quiz

References