User-ID Redistribution Delay After Migrating to Entra ID / Cloud Identity Engine
Hi Guys,
One of our customers recently migrated from on-premises AD DS to Microsoft Entra ID with Palo Alto Cloud Identity Engine.
They have two Palo Alto NGFWs.
- Internal Firewall
- Internet Edge Firewall
Previously, user identification was handled by four on-premises Windows User-ID Agents installed on Windows servers. These agents collected user-to-IP mappings from AD and shared the mapping information with both firewalls at the same time. This worked smoothly without any noticeable delay.
After moving to Entra ID, the current design is:
- Internal Firewall uses Cloud Identity Engine and Authentication Portal to identify users.
- Internal Firewall receives the user-to-IP mapping.
- Internal Firewall redistributes the user-to-IP mapping to the Internet Edge Firewall.
- Internet Firewall uses the mapping to match user-based internet access policies.
The issue is that after the Internal Firewall identifies the user, it takes a few seconds for the user-to-IP mapping to be redistributed to the Internet Firewall.
During this short delay, the Internet Firewall does not yet know the user mapping, so the initial internet request hits the unknown-user/block policy and users receive the block response page. After a few seconds (2s to 3s), once the mapping reaches the Internet Firewall, access works correctly, but users have to manually refresh the page.
Has anyone faced this type of delay after migrating from Windows User-ID Agents / on-prem AD to Entra ID with Cloud Identity Engine?
I would like to understand the best-practice design for this scenario:
- Should both firewalls be configured directly with Cloud Identity Engine as a mapping source?
- Is firewall-to-firewall User-ID redistribution the recommended design here?
- Are there any timers, or redistribution settings that can reduce this delay?
Any recommendations or design guidance would be highly appreciated.
Thanks.