In a large-scale network, instead of configuring all
your firewalls to directly query the data sources, you can streamline
resource usage by configuring some firewalls to collect data through redistribution.
Data redistribution also provides granularity, allowing you to redistribute
only the types of information you specify to only the devices you
select. You can also filter the IP user mappings or IP tag mappings
using subnets and ranges to ensure the firewalls collect only the mappings
they need to enforce policy.
Data redistribution can be unidirectional (the agent provides
data to the client) or bidirectional, where both the agent and the
client can simultaneously send and receive data.
- Hub and spoke architecture for a single region:
To
redistribute data between firewalls, use a hub and spoke architecture
as a best practice. In this configuration, a hub firewall collects
the data from sources such as Windows User-ID agents, Syslog Servers,
Domain Controllers, or other firewalls. Configure the redistribution
client firewalls to collect the data from the hub firewall.
For
example, a hub (consisting of a pair of VM-50s for resiliency) could
connect to the User-ID sources for the user mappings. The hub would
then be able to redistribute the user mappings when the client firewalls
that use the user mappings to enforce policy connect to the hub
to receive data.
- Multi-Hub and spoke architecture for multiple regions:
If
you have firewalls deployed in multiple regions and want to distribute
the data to the firewalls in all of these regions so that you can
enforce policy consistently regardless of where the user logs in,
you can use a multi-hub and spoke architecture for multiple regions.
Start
by configuring a firewall in each region to collect data from the
sources. This firewall acts as a local hub for redistribution. This
firewall collects the data from all sources in that region so that
it can redistribute it to the client firewalls. Next, configure
the client firewalls to connect to the redistribution hubs for their
region and all other regions so that the client firewalls have all
data from all hubs.
As a best practice, enable bidirectional
redistribution within a region if the firewalls need to both send
and receive data. For example, if a firewall is acting as a GlobalProtect
gateway for remote users and as a branch firewall for local users,
the firewall must send the user mappings it collects for remote
users to the hub firewall as well as receive the user mappings of
the local users from the hub firewall.
- Hierarchical architecture:
To redistribute data, you
can also use a hierarchical architecture. For example, to redistribute
data such as User-ID information, organize the redistribution sequence
in layers, where each layer has one or more firewalls. In the bottom
layer, PAN-OS integrated User-ID agents running on firewalls and
Windows-based User-ID agents running on Windows servers map IP addresses
to usernames. Each higher layer has firewalls that receive the mapping
information and authentication timestamps from up to 100 redistribution
points in the layer beneath it. The top-layer firewalls aggregate
the mappings and timestamps from all layers. This deployment provides
the option to configure policies for all users in top-layer firewalls
and region- or function-specific policies for a subset of users
in the corresponding domains served by lower-layer firewalls.
In
this scenario, three layers of firewalls redistribute mappings and
timestamps from local offices to regional offices and then to a
global data center. The data center firewall that aggregates all
the information shares it with other data center firewalls so that
they can all enforce policy and generate reports for users across
your entire network. Only the bottom layer firewalls use User-ID
agents to query the directory servers.
The information sources
that the User-ID agents query do not count towards the maximum of
ten
hops in the sequence. However, Windows-based User-ID
agents that forward mapping information to firewalls do count. Also
in this example, the top layer has two hops: the first to aggregate
information in one data center firewall and the second to share
the information with other data center firewalls.