Do Mobile Users gateway firewalls redistribute User-ID Information to all the Service Connection firewalls?
Question
Do Mobile Users gateway firewalls redistribute User-ID Information to all the Service Connection firewalls?
Environment
- Prisma Access
- Prisma Access Strata Cloud Manager Managed
- Prisma Access Cloud Managed
- Prisma Access Panorama Managed
- Prisma Access Mobile Users Gateway
- Prisma Access Service Connection
- Prisma Access Identity Redistribution
Answer
No, the Mobile User Gateway nodes redistribute User-ID Information (IP-User mapping) to the service connection node that is closer to it only.
For example, in the below network topology, the Mobile User Location 1 firewall node redistributes the User-ID information to the Service Connection Location 2 firewall node. Similarly, the Mobile Users Location 2 firewall node redistributes to the Service Connection Location 1 firewall node only.
The Mobile User Location 1 firewall node does not redistribute to the Service Connection Location 1 firewall node. Further, the Mobile Users Location 2 firewall node does not redistribute to the Service Connection Location 2 firewall node.
Additional Information
We have to consider the below scenario.
1. We already have Service Connection Location 1 and Service Connection Location 2
2. We deploy a third one Service Connection Location 3 which is closer to Mobile Users Location 2
3. Now, Mobile Users Location 2 will redistribute the User-ID Information to Service Connection Location 3 and stop redistributing to Service Connection Location 1.
4. This is because the Mobile Users Gateways do not have a Mesh connectivity to the Service Connection, rather they will have connectivity to the Service Connection which is geographically closer.
5. Sometimes in order to balance the traffic between the Service Connections, it is required that the Mobile Users gateway needs to connect to the geographically furthest service connection. If that is the requirement, please contact the account team to implement the request.
6. If a Datacenter/HQ firewall requires User-ID information from all the Prisma Access Mobile Users Gateway, we need to configure all Service Connection's User-ID Agent addresses in the Data Redistribution Agents as mentioned in this Document