A customer wants to deploy User-ID on a Palo Alto Networks NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. The customer uses Windows Active Directory for authentication.
What is the most operationally efficient way to redistribute the most accurate IP addresses to username mappings?
The most operationally efficient way to redistribute the most accurate IP addresses to username mappings in a Palo Alto Networks NGFW with multiple vsys is to deploy the GlobalProtect vsys as a User-ID data hub. This setup allows the vsys that supports GlobalProtect, which already collects user information for VPN authentication, to serve as a centralized point for gathering and redistributing IP-to-username mappings to all other vsys. This minimizes the configuration overhead and ensures all vsys have the most accurate and up-to-date user information.
It might be B, since the most operationally efficient way would be to configure one User-ID hub on one vsys and distribute the User-ID Sources from there to the other vsys.
I think B
Note sure where Global protect comes in here but: B https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/deploy-user-id-in-a-large-scale-network/share-user-id-mappings-across-vsys
B Your doc is spot-on. As for the role of GP, since users need to authenticate to connect to the vpn, GP will collect ip-to-username info and report it back to the user-ID agent on the firewall.
"..most accurate IP addresses .."