Follow Us On:

How can we help you?

View Categories

User-ID redistribution

1 min read

What Is User ID Redistribution? #

 

User-ID Redistribution in Palo Alto Firewalls lets firewalls share user-to-IP mappings across different devices. This reduces the load on the network and servers. It helps maintain consistent identity-based policies in various situations, such as multi-site setups, high-availability pairs, or cloud environments. This feature is useful when you have multiple firewalls in your network and need to keep user-to-IP mapping the same across all of them.

 

Redistribution Flow #

 

 

Article content

 

Diagram Explanation
 #

 

1️⃣ AD/User-ID Agent → Firewall

  • The server has the Palo Alto agent installed and configured.
  • The agent pulls the login events from AD/LDAP.
  • The firewall connects to the agent and starts pulling usernames to IPs.

 

2️⃣ Firewall ↔ Firewall (Redistribution)

  • The primary firewall shares mappings with the rest of the firewalls via Syslog.
  • Firewalls three, four, and five will apply policies without querying AD again.

 

3️⃣ User Traffic Flow

  • The firewalls can now enforce access based on username (not just IP), even if the user moves to another subnet/firewall.

 

 

 

What are the Purpose & Benefits
 #

 

1️⃣ Consistent User Mapping Across Multiple Firewalls

  • Ensures that all firewalls have up-to-date user-to-IP mappings for consistent policy enforcement.

 

2️⃣ Reduces Load on Domain Controllers

  • Firewalls get user mappings from a central firewall to reduce the load on Active Directory (AD) queries.

 

3️⃣ Faster Policy Enforcement

  • User mappings are available as needed, eliminating delays in applying User-ID-based security policies.

 

4️⃣ Improves Network Efficiency

  • Instead of each firewall running its own User-ID agent, one firewall collects data and shares it with others.

 

5️⃣ Essential for Distributed Environments

  • Useful in multi-site deployments where remote firewalls need access to user mappings from a central location.

 

 

 

When is user ID redistribution needed? #

 

From my experience, this is useful in large environments involving branches, SASE such as Prisma Access, and cloud settings.

 

🔹 Multi-firewall environments (e.g., branch offices, data centers)

🔹 Large networks with multiple firewalls needing the same user data

🔹 Reduce direct queries to Active Directory

🔹 GlobalProtect VPN setups and Prisma Access where user mappings need to be shared

 

 

 

What does this configuration look like when presented in the firewall? #

 

In this scenario, I will use Panorama for user redistribution, while employing a firewall to act as the client firewall. The choice between Panorama and a firewall depends on which option best meets the organization’s requirements. I recommend implementing a VM firewall for redistribution to prevent overloading either the perimeter or Panorama.

 

Redistribution using Panorama #

 

Article content

Palo Alto Networks
What are your Feelings

Powered by BetterDocs

Leave a Reply

Your email address will not be published. Required fields are marked *

About Company

NetSec Solutions helps businesses of all sizes secure, optimize, and support their IT infrastructure, backed by expert engineers and real-world results.

Follow Us On:

Services
Resources
Recent Blogs
NetSec Technologies — Your Trusted Partner in IT & Cyber Defense
  • © 2025 NetSec Technologies. All Rights Reserved.
Services

Automated Updates & Patch Management

VoIP & Communication Support

Security & Compliance

Cloud & Server Maintenance

Network Management

24/7 Monitoring

Follow us on:
  • © 2025 NetSec Technologies. All Rights Reserved.
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.