Cloud Identity Engine User Context
As large enterprise networks continue to become
increasingly distributed across cities, regions, and countries,
enforcing least-privilege user access becomes increasingly challenging,
especially as scale increases. User Context for the Cloud Identity
Engine provides simplified granular control over the data that is
shared across your security devices. It provides administrators
with the flexibility to specify the data types (such as mappings
and quarantine lists) each device sends and receives.
User
Context for the Cloud Identity Engine requires PAN-OS 11.0.
The
simplified deployment of User Context for information such as user
mappings and tags minimizes time to enforcement. Centralizing visibility for
users, tags, and mappings makes it easier to segment the data types
based on user access needs. This method also increases scalability
for Virtual Desktop users (VDI) using the Terminal Server agent.
To
enforce policy, User Context provides IP address-to-usernamemappings, IP port to username
mappings, user tags IP address tags,
Host IDs, and quarantine list information to other firewalls and
devices in your network through segments, which consist of firewalls that
you specify. A segment can collect information as well
as share information. A publishing segment sends the
data from the firewalls and devices in that segment to the firewalls
in the subscribed segment, which contains the firewalls
that receive the data from the publishing segments.
Firewalls
and Panorama can share multiple data types to one segment. On a
firewall or Panorama, each data type can only be shared in one segment.
Each Firewall or Panorama can receive data from up to 100 segments.
By
selecting the data that is collected by a segment and where that
data is shared, you have full control in ensuring that the information
required to enforce least-privilege access is available on each
enforcement device.
If you associate a firewall that you configure as a User-ID hub with
a segment, the Cloud Identity Engine provides the data types based
on the firewall that is subscribed or publishing the segment, not
based on the virtual system. To ensure that both locally learned data
and data that the User Context Cloud Service provides are available
to all virtual systems, configure the User-ID hub firewall as a
subscriber in the segment.
- Onboard your Cloud Identity Engine instance.
- Obtain the serial number for the firewall you want to onboard, and Register the firewall with the Palo Alto Networks Customer Support Portal (CSP).
- Click the magic link provided by Palo Alto Networks to begin onboarding your Cloud Identity Engine tenant.The magic link is provided by Palo Alto Networks by email.
- ClickMSP Cloud Management.
- Continuethe onboarding process.
- Claimthe license for the tenant you want to onboard.
- Select theCustomer Support Accountyou want to use.
- Select theParent Tenantyou want to use or clickCreate Newto create a new tenant.
- ClickClaim and continueto continue the onboarding process.
- ClickAdd Licensed Productto continue the onboarding process.
- Select the contract you want to use.
- Select theRegionfor your Cloud Identity Engine instance.
- ClickActivate Nowto complete the onboarding process.
- Confirm that theStatusfor theCloud Identity EngineisComplete.You can access your Cloud Identity Engine instance by selectingCloud Identity Engine.
- In the bottom left of the window, select the icon for your tenant and selectDevice Associations.
- Select .
- Select your Customer Support Account and enter your firewall serial number.
- Select the firewallSaveyour changes.
- SelectAssociate Apps.
- Select the firewall, select theCloud Identity Engine, andSaveyour selections.
- In the Cloud Identity Engine, activate sharing for mappings.
- Log in to the Cloud Identity Engine app and select
- Activatesharing for mappings.
- Configure the default segment as a publishing segment.
- Select theFirewallstab and select one or more firewalls.
- After selecting the firewalls that you want to include in this segment,Assign Segmentsto the selected firewalls.Assigning a segment to a firewall allows you to define which data the Cloud Identity Engine receives from or provides to that firewall. You can only assign segments to a firewall that uses PAN-OS 11.0; User Context does not support other source types.
- (Optional) If you want to include additional firewalls in the segment,Add Firewallsto the segment to specify the firewalls you want to include.
- For eachData Typethat you want to share, select theSegmentwhere you want to publish the data type.Firewalls publish each data type to one segment. To share data between firewalls, you will need to configure a segment for each data type you want share.You can select the following data types:
- IP User Mappings—(GlobalProtect, Authentication Portal, XFF Headers, Username Header Insertion, XML APIs, Syslog, Server Monitoring, Panorama TrustSec plugin) Maps the IP address to a username.
- IP Tag Mappings—(Dynamic Address Group only) Maps the IP address to a tag.
- User Tag Mappings—(Dynamic User Group only) Maps the tag to a user.
- Quarantine List—(GlobalProtect only) Lists the firewalls that GlobalProtect has in quarantine.
- IP Port Mappings—(Terminal Server agent only) Maps the IP address to the port range allocated to a Windows-based terminal server user.
- ClickReview Changesto review your configuration before submitting the changes.
- Savethe changes to confirm the configuration.
- Create a segment to subscribe to the publishing segment you created in the previous step.Publishing segments provide the specified data type that the Cloud Identity Engine collects from other firewalls to the segment containing the firewalls that you select.You can subscribe up to 100 segments per firewall.
- Select and clickAdd New Segment.
- Enter a uniqueSegment Nameand optionally aDescriptionfor the segment.
- ClickAdd New Segmentto save the changes.
- ClickSegmentsto add the segments you want to receive data.
- Select the segments that you want to include andAddthe segments.
- (Optional) Edit segments as needed to customize how the Cloud Identity Engine provides mappings to the firewalls.
- If sharing for data type isEnabledand you do not want to share this data type in this segment, select it to change the setting toDisabled.
- If you no longer need a segment, delete it from the configuration.
- When your configuration is complete,Review ChangesandSavethe configuration.
- On your firewall, enable the service that the Cloud Identity Engine uses to communicate with your firewall.
- Ensure that you have configured a device certificate.
- Log in to the firewall andEditthePAN-OS Edge Service Settings().
- Enable User Context Cloud Serviceand clickOKto confirm the changes.If the firewall traffic uses a management interface, create security policy rules to allow connectivity between the firewall and the User Context Cloud Service.
- Commityour changes on the firewall.
- Verify the User Context configuration is successful and view the mappings and tags that the Cloud Identity Engine collects from the firewall.
- On the firewall, verify the User Context Cloud ServiceConnection Statusis active.
- In the Cloud Identity Engine app, select to review the information for the data types.You can review the following data types:
- User-ID—Search User-ID mappings byUsernameorIPaddress.
- IP-Port User—(Terminal Server agent only) Search Terminal Server agent mappings byIPaddress.
- Host IDs—(GlobalProtect only) Search devices (both quarantined and not quarantined) byHost ID.
Now that you’ve configured segments, you can use them to enable user- and group-based policy, authentication profiles and sequences, and other firewall-based tasks.
