To aggregate User-ID information, organize the redistribution
sequence in layers, where each layer has one or more firewalls.
In the bottom layer, PAN-OS integrated User-ID agents running on firewalls
and Windows-based User-ID agents running on Windows servers map
IP addresses to usernames. Each higher layer has firewalls that
receive the mapping information and authentication timestamps from up
to 100 redistribution points in the layer beneath it. The top-layer
firewalls aggregate the mappings and timestamps from all layers.
This deployment provides the option to configure policies for all
users in top-layer firewalls and region- or function-specific policies
for a subset of users in the corresponding domains served by lower-layer
firewalls.
Figure 1 shows a deployment with three layers of firewalls that redistribute
mappings and timestamps from local offices to regional offices and
then to a global data center. The data center firewall that aggregates
all the information shares it with other data center firewalls so
that they can all enforce policy and generate reports for users
across your entire network. Only the bottom layer firewalls use
User-ID agents to query the directory servers.
The information sources that the User-ID agents query do not
count towards the maximum of ten hops in the sequence.
However, Windows-based User-ID agents that forward mapping information
to firewalls do count. Therefore, in this example, redistribution
from the European region to all the data center firewalls requires
only three hops, while redistribution from the North American region requires
four hops. Also in this example, the top layer has two hops: the
first to aggregate information in one data center firewall and the
second to share the information with other data center firewalls.