best practice User-ID strategy?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

best practice User-ID strategy?

L2 Linker


first I try to give you some information. Our headquarter is located in Germany. All of our subsidiaries are connected to Germany via relatively slow VPN lines. Overall we have round about 20 DCs in different countires. Until now we have only 3 Palo Alto firewalls (Germany, USA, Canada) but in the future we plan to buy more.

Our setup until last week was the following. We installed the software User-ID agent on the DC in Germany. We connected all DCs worldwide to this agent. Unfortunately the agent retrieves all logs and produces a lot of traffic over the VPN lines. So we decided to change our setup.

We are planning to install the User-ID agent on all DCs worldwide and connect the firewall in Germany with all agents. With this solution the traffic should drop significantely. Furthermore the firewall in USA and Canada will be connected with the particular DC in that country and in Germany.

Or is it better to connect these firewalls also with all agents?

Is it possible to distribute the mappings from the firewall in Germany to the other firewalls without the need of connecting agents to the firewalls in USA and Canada?

Another question is if all agents should observe all available networks or only the local subnets?

I hope you can help me!


L6 Presenter

Hello admin@peri,

Normally only local subnet.....

Because User based policies are normally configured inside to outside direction.

But if User based policy is configured for outside to inside network then its required to learn all the networks.

Let me know if that answers the question.


Hardik Shah

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!