10-14-2025 05:09 AM
We have 4 Palo Alto Clusters managed by panorama, each cluster has 2 firewalls, each firewall has number of Vsys.
We want to configure user-ID with the Agent based method.
My proposed solution is to integrate each Firewall directly with the User-ID agent then push User-ID agents in panorama (In device group setup it asks about default firewall to get user-id data from and it is set correctly)
Is this solution needs special configuration between the panorama and the firewalls rather than mentioned earlier in the device group setup?
After this implementation, will I be able to configure firewall policies from Panorama and push them to Firewalls based on user-id data collected from the firewalls right ?
10-16-2025 03:47 AM
it depends where your userID information comes from how you should design redistribution
If any of your firewalls serve up globalprotect, you should set them as a source as well. most efficiently it would probably be to set up a hub-spoke model with panorama collecting and redistributing all user-id information
if your user-id information only comes from your AD/user-id agent, you can connect all firewalls directly to user-id agent
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
