https://live.paloaltonetworks.com/t5/general-topics/userid-what-s-the-best-practice-for-configuration-crossing/m-p/102452#M44562 <P>Currently user-id information is only locally known on each firewall where the connections to AD are configured. &nbsp;And the firewalls do not communicate with each other.</P><P>&nbsp;</P><P>Thus any firewall along the path of a client communication using user-id will need to have the appropriate rules and AD connections in place to enforce policy.</P><P>&nbsp;</P><P>Depending on how the traffic goes and how many firewalls you cross, you might be able to organize the most specific rules at either a central point or at a point closest to the users. &nbsp;Then apply more general policies at the other points in the path. &nbsp;</P><P>&nbsp;</P><P>But the basic premise is that the traffic will be evaluated based on local PAN knowledge at each firewall crossing. &nbsp;So you need ot consider what that PAN knows about user-id when setting up the rule base.</P> Thu, 11 Aug 2016 21:36:43 GMT pulukas 2016-08-11T21:36:43Z https://live.paloaltonetworks.com/t5/general-topics/userid-what-s-the-best-practice-for-configuration-crossing/m-p/102091#M44546 <P>Hello,</P><P>We are starting to deploy UserID based policies across our enterprise.</P><P>I'd like to know what is the best practice when dealing with rule policies that cross multiple zones/firewalls that are in different locations?</P><P>Does the user portion of the rule only need to be as close to the client then go to network rules in between the firewalls and resource or can userID go through the entire network path from client/user to resource?</P><P>Thanks,</P> Wed, 10 Aug 2016 22:22:31 GMT https://live.paloaltonetworks.com/t5/general-topics/userid-what-s-the-best-practice-for-configuration-crossing/m-p/102091#M44546 jezkerwin 2016-08-10T22:22:31Z https://live.paloaltonetworks.com/t5/general-topics/userid-what-s-the-best-practice-for-configuration-crossing/m-p/102452#M44562 <P>Currently user-id information is only locally known on each firewall where the connections to AD are configured. &nbsp;And the firewalls do not communicate with each other.</P><P>&nbsp;</P><P>Thus any firewall along the path of a client communication using user-id will need to have the appropriate rules and AD connections in place to enforce policy.</P><P>&nbsp;</P><P>Depending on how the traffic goes and how many firewalls you cross, you might be able to organize the most specific rules at either a central point or at a point closest to the users. &nbsp;Then apply more general policies at the other points in the path. &nbsp;</P><P>&nbsp;</P><P>But the basic premise is that the traffic will be evaluated based on local PAN knowledge at each firewall crossing. &nbsp;So you need ot consider what that PAN knows about user-id when setting up the rule base.</P> Thu, 11 Aug 2016 21:36:43 GMT https://live.paloaltonetworks.com/t5/general-topics/userid-what-s-the-best-practice-for-configuration-crossing/m-p/102452#M44562 pulukas 2016-08-11T21:36:43Z