Redistribute User Mappings and Authentication Timestamps
Every firewall that enforces user-based policy requires
user mapping information. In a large-scale network, instead of configuring
all your firewalls to directly query the mapping information sources,
you can streamline resource usage by configuring some firewalls
to collect mapping information through redistribution. Redistribution
also enables the firewalls to enforce user-based policies when users
rely on local sources for authentication (such as regional directory
services) but need access to remote services and applications (such
as global data center applications).
You can redistribute user mapping information collected
through any method except Terminal Server (TS) agents. You cannot
redistribute
Group
Mapping or
HIP match information.
If you use
Panorama and Dedicated Log Collectors to manage firewalls and aggregate
firewall logs, you can use Panorama to
manage User-ID redistribution.
Leveraging Panorama and your distributed log collection infrastructure
is a simpler solution than creating extra connections between firewalls
to redistribute User-ID information.
If you
Configure
Authentication Policy, your firewalls must also redistribute
the
Authentication
Timestamps that are generated when users authenticate to
access applications and services. Firewalls use the timestamps to
evaluate the timeouts for Authentication policy rules. The timeouts
allow a user who successfully authenticates to later request services
and applications without authenticating again within the timeout
periods. Redistributing timestamps enables you to enforce consistent
timeouts across all the firewalls in your network.
Firewalls share user mappings and authentication timestamps as
part of the same redistribution flow; you don’t have to configure
redistribution for each information type separately.