Cloud Identity User Context (PAN-OS)

Table of Contents

Cloud Identity Engine User Context

Cloud Identity User Context (SCM)

Cloud Identity User Context (PAN-OS)

Learn about user context for PAN-OS & Panorama with CIE.

To control data shared over your network with User Context:

Onboard your Cloud Identity Engine instance.
1. Obtain the serial number for the firewall you want to onboard, and Register the firewall with the Palo Alto Networks Customer Support Portal (CSP).
2. Click the magic link provided by Palo Alto Networks to begin onboarding your Cloud Identity Engine tenant.
  
  The magic link is provided by Palo Alto Networks by email.
3. Click MSP Cloud Management.
4. Continue the onboarding process.
5. Claim the license for the tenant you want to onboard.
6. Select the Customer Support Account you want to use.
7. Select the Parent Tenant you want to use or click Create New to create a new tenant.
8. Click Claim and continue to continue the onboarding process.
9. Click Add Licensed Product to continue the onboarding process.
10. Select the contract you want to use.
11. Select the Region for your Cloud Identity Engine instance.
12. Click Activate Now to complete the onboarding process.
13. Confirm that the Status for the Cloud Identity Engine is Complete.
  
  You can access your Cloud Identity Engine instance by selecting Cloud Identity Engine.
14. In the bottom left of the window, select the icon for your tenant and select Device Associations.
15. Select Add Device.
16. Select your Customer Support Account and enter your firewall serial number.
17. Select the firewall Save your changes.
18. Select Associate Apps.
19. Select the firewall, select the Cloud Identity Engine, and Save your selections.
In the Cloud Identity Engine, activate sharing for mappings.
1. Log in to the Cloud Identity Engine app and select User ContextSegments
2. Activate sharing for mappings.
Configure the default segment as a publishing segment.
1. Select the Firewalls tab and select one or more firewalls.
2. After selecting the firewalls that you want to include in this segment, Assign Segments to the selected firewalls.
  
  Assigning a segment to a firewall allows you to define which data the Cloud Identity Engine receives from or provides to that firewall. You can only assign segments to a firewall that uses PAN-OS 11.0; User Context does not support other source types.
3. (Optional) If you want to include additional firewalls in the segment, Add Firewalls to the segment to specify the firewalls you want to include.
4. For each Data Type that you want to share, select the Segment where you want to publish the data type.
  Firewalls publish each data type to one segment. To share data between firewalls, you will need to configure a segment for each data type you want share.
  
  You can select the following data types:
  
  IP User Mappings—(GlobalProtect, Authentication Portal, XFF Headers, Username Header Insertion, XML APIs, Syslog, Server Monitoring, Panorama TrustSec plugin) Maps the IP address to a username.
  IP Tag Mappings—(Dynamic Address Group only) Maps the IP address to a tag.
  User Tag Mappings—(Dynamic User Group only) Maps the tag to a user.
  Quarantine List—(GlobalProtect only) Lists the firewalls that GlobalProtect has in quarantine.
  IP Port Mappings—(Terminal Server agent only) Maps the IP address to the port range allocated to a Windows-based terminal server user.
5. Click Review Changes to review your configuration before submitting the changes.
6. Save the changes to confirm the configuration.
Create a segment to subscribe to the publishing segment you created in the previous step.

Publishing segments provide the specified data type that the Cloud Identity Engine collects from other firewalls to the segment containing the firewalls that you select.

You can subscribe up to 100 segments per firewall.
1. Select User ContextSegments and click Add New Segment.
2. Enter a unique Segment Name and optionally a Description for the segment.
3. Click Add New Segment to save the changes.
4. Click Segments to add the segments you want to receive data.
5. Select the segments that you want to include and Add the segments.
(Optional) Edit segments as needed to customize how the Cloud Identity Engine provides mappings to the firewalls.
1. If sharing for data type is Enabled and you do not want to share this data type in this segment, select it to change the setting to Disabled.
2. If you no longer need a segment, delete it from the configuration.
When your configuration is complete, Review Changes and Save the configuration.
On your firewall, enable the service that the Cloud Identity Engine uses to communicate with your firewall.
1. Ensure that you have configured a device certificate.
2. Log in to the firewall and Edit the PAN-OS Edge Service Settings (DeviceManagementSetupPAN-OS Edge Service Settings).
3. Enable User Context Cloud Service and click OK to confirm the changes.
  
  If the firewall traffic uses a management interface, create security policy rules to allow connectivity between the firewall and the User Context Cloud Service.
4. Commit your changes on the firewall.
Verify the User Context configuration is successful and view the mappings and tags that the Cloud Identity Engine collects from the firewall.
1. On the firewall, verify the User Context Cloud Service Connection Status is active.
2. In the Cloud Identity Engine app, select User ContextMappings & Tags to review the information for the data types.
  You can review the following data types:
  
  User-ID—Search User-ID mappings by Username or IP address.
  User Tags—Search Dynamic User Group tags by Username or by Tag.
  IP Tags—Search Dynamic Address Group tags by IP address or by Tag.
  IP-Port User—(Terminal Server agent only) Search Terminal Server agent mappings by IP address.
  Host IDs—(GlobalProtect only) Search devices (both quarantined and not quarantined) by Host ID.
  
  Now that you’ve configured segments, you can use them to enable user- and group-based policy, authentication profiles and sequences, and other firewall-based tasks.