To share IP address-to-username mappings across virtual
systems, assign a virtual system as a User-ID hub.
To simplify User-ID™ source configuration
when you have multiple virtual systems, configure the User-ID sources
on a single
virtual system to share
IP address-to-username mappings with all other virtual systems on
the firewall.
Configuring a single virtual system as a
User-ID
hub simplifies user mapping by eliminating the need to configure
the sources on multiple virtual systems, especially if a user’s
traffic will pass through multiple virtual systems based on the
resources the user is trying to access (for example, in an academic
networking environment where a student will be accessing different
departments whose traffic is managed by different virtual systems).
To
map the user, the firewall uses the mapping table on the local virtual
system and applies the policy for that user. If the firewall does
not find the mapping for a user on the virtual system where that
user’s traffic originated, the firewall queries the hub to fetch
the IP address-to-username information for that user. If the firewall
locates the mapping on both the User-ID hub and the local virtual
system, the firewall uses the mapping it learns locally.
After
you configure the User-ID hub, the virtual system can use the mapping
table on the User-ID hub when it needs to identify a user for user-based
policy enforcement or to display the username in a log or report
but the source is not available locally. When you select a hub,
the firewall retains the mappings on other virtual systems so we
recommend consolidating the User-ID sources on the hub. However,
if you don’t want to share mappings from a specific source, you
can configure an individual virtual system to perform user mapping.