A Palo Alto Networks firewall running PAN-OS 5.0.x can be configured to act as a User-ID Agent to share collected user mapping and group mapping information to other Palo Alto Networks devices. However, when a Palo Alto Networks firewall is configured as a User-ID Collector, the mappings received from User-ID Agents are not redistributed to the other Palo Alto Networks devices.
Resolution
The User-ID Collector redistributes only mappings that are collected locally by the User Mapping (Agentless User-ID) feature. User-IP mappings collected from User-ID Agents installed on Windows servers and from terminal server agents are not redistributed.
To configure User Mapping from the WebGUI, go to Device > User Identification > User Mapping
Note: The User-ID Collector should have User-ID Service enabled under an Interface Management (Network > Network Profiles > Interface Mgmt) profile.