To share IP address-to-username mappings and username-to-group
mappings across virtual systems, assign a virtual system as a User-ID
hub.
To simplify User-ID™ source configuration
when you have multiple virtual systems, configure the User-ID sources
on a single
virtual system to share
IP address-to-username mappings and username-to-group mappings with
all other virtual systems on the firewall.
Configuring a
single virtual system as a
User-ID hub simplifies user
mapping by eliminating the need to configure the sources on multiple
virtual systems, especially if traffic will pass through multiple
virtual systems based on the resources the user is trying to access
(for example, in an academic networking environment where a student will
be accessing different departments whose traffic is managed by different
virtual systems).
To map the user or group, the firewall
uses the mapping table on the local virtual system and applies the
policy for that user or group. If the firewall does not find the
mapping for a user or group on the virtual system where that user’s
traffic originated, the firewall queries the hub to fetch the IP
address-to-username information for that user or group mapping information
for that group. If the firewall locates the mapping on both the
User-ID hub and the local virtual system, the firewall uses the
mapping it learns locally. If the mapping on the local firewall
differs from the mapping on the virtual system hub, the firewall
uses the local mapping.
After you configure the User-ID hub,
the virtual system can use the mapping table on the User-ID hub
when it needs to identify a user for user-based policy enforcement
or to display the username in a log or report but the source is
not available locally. When you select a hub, the firewall retains
the mappings on other virtual systems so we recommend consolidating
the User-ID sources on the hub. However, if you don’t want to share
mappings from a specific source, you can configure an individual
virtual system to perform user or group mapping.