This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
best practice User-ID strategy?
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- best practice User-ID strategy?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
best practice User-ID strategy?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-08-2013 02:12 AM
Hello,
first I try to give you some information. Our headquarter is located in Germany. All of our subsidiaries are connected to Germany via relatively slow VPN lines. Overall we have round about 20 DCs in different countires. Until now we have only 3 Palo Alto firewalls (Germany, USA, Canada) but in the future we plan to buy more.
Our setup until last week was the following. We installed the software User-ID agent on the DC in Germany. We connected all DCs worldwide to this agent. Unfortunately the agent retrieves all logs and produces a lot of traffic over the VPN lines. So we decided to change our setup.
We are planning to install the User-ID agent on all DCs worldwide and connect the firewall in Germany with all agents. With this solution the traffic should drop significantely. Furthermore the firewall in USA and Canada will be connected with the particular DC in that country and in Germany.
Or is it better to connect these firewalls also with all agents?
Is it possible to distribute the mappings from the firewall in Germany to the other firewalls without the need of connecting agents to the firewalls in USA and Canada?
Another question is if all agents should observe all available networks or only the local subnets?
I hope you can help me!
Labels:
- Labels:
-
User-ID
10 REPLIES 10
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-25-2013 04:14 PM
Hello admin@peri,
Normally only local subnet.....
Because User based policies are normally configured inside to outside direction.
But if User based policy is configured for outside to inside network then its required to learn all the networks.
Let me know if that answers the question.
Regards,
Hardik Shah
Related Content
- Create policies from flows in file excel/csv to a Panorama particular - Device Group in Panorama Discussions
- PA allowing IM (viber,line,zalo) | PA policy process in General Topics
- UserID What's the best practice for configuration crossing multiple firewalls in General Topics
- should Xenapp servers with TS-Agents installed ip addresses be manully excluded from userID agent monitoring? in General Topics
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks