Multi-Hub and spoke architecture for multiple regions:
If
you have firewalls deployed in multiple regions and want to distribute
the data to the firewalls in all of these regions so that you can
enforce policy consistently regardless of where the user logs in,
you can use a multi-hub and spoke architecture for multiple regions.
Start
by configuring a firewall in each region to collect data from the
sources. This firewall acts as a local hub for redistribution. This
firewall collects the data from all sources in that region so that
it can redistribute it to the client firewalls. Next, configure
the client firewalls to connect to the redistribution hubs for their
region and all other regions so that the client firewalls have all
data from all hubs.
As a best practice, enable bidirectional
redistribution within a region if the firewalls need to both send
and receive data. For example, if a firewall is acting as a GlobalProtect
gateway for remote users and as a branch firewall for local users,
the firewall must send the user mappings it collects for remote
users to the hub firewall as well as receive the user mappings of
the local users from the hub firewall.