Prisma Access
Configure HIP Redistribution in Prisma Access
Table of Contents
Configure HIP Redistribution in Prisma Access
Prisma Access
How to configure HIP redistribution in a
Prisma Access (Managed by Panorama)
deployment.Where Can I Use This? | What Do I Need? |
|---|---|
|
|
When a mobile user whose endpoint has the GlobalProtect app installed connects to Prisma
Access,
Prisma Access
collects the user’s HIP information from the endpoint’s
GlobalProtect app, which makes the HIP report available in Prisma Access
. To use HIP redistribution, users must have the GlobalProtect app installed on their
endpoint. While
Prisma Access
supports Clientless VPN, you can't redistribute HIP
information for Clientless VPN users. HIP redistribution is applicable to both mobile users and users at remote networks.
However, for users at remote networks, an on-premises gateway must detect that the user
is internal to the organization’s network using internal host detection before the
on-premises gateway can send HIP information to
Prisma Access
.In
Prisma Access
, you configure internal host detection when you configure your mobile user deployment.To assure consistent policy enforcement, you can use HIP redistribution to allow Prisma
Access to distribute users’ HIP information to other
Panorama appliances, gateways, firewalls, and virtual systems in your deployment, as
well as distribute HIP information from those devices to
Prisma Access
in some cases. This ability allows you to consistently apply
HIP-based policy enforcement for users’ traffic, including policies for internet-bound
traffic or for traffic that is accessing an internal application or resource in your
organization’s headquarters or data center. Redistributing HIP information to the
Panorama appliance also lets you view detailed HIP information for Prisma Access
users from that appliance.Cloud Management
Cloud Management
Learn how to redistribute HIP information.
Panorama
Panorama
Learn how to redistribute HIP information.
To allow
Prisma Access
to collect and redistribute HIP information, complete the
following task.- AllowPrisma Accessto redistribute HIP information.
- In Panorama, select .
- Click the gear icon to edit the settings.
- In theAdvancedtab, selectEnable HIP Redistribution.Enabling HIP Redistribution enablesPrisma Accessto redistribute the HIP reports received from the GlobalProtect app to internal firewalls and to Panorama.
- Configure Panorama to receive HIP reports fromPrisma Access.
- Select .
- Select theManagementinterface.
- SelectUser-ID.
- Configure Panorama to collect the User-ID mapping fromPrisma Access.
- From the Panorama that managesPrisma Access, select (for Panorama 10.xappliances) or (for 9.1.xPanorama appliances).
- Adda User-ID Agent and give it aName.
- Enter one of the following values in theHostfield, depending on the types of HIP information you want to collect.
- To collect HIP information for mobile users, enter theUser-ID Agent Address().
- To collect HIP information from users at a remote network locations with an internal gateway, enter the IP address of the internal gateway.
- To collect HIP information from users are a remote network connection, enter theEBGP Routeraddress ( as the User-ID host.
- Enter5007in the port field.By default, the User-ID agent uses port 5007 to listen for HIP information requests.Make sure that your network does not block access to this port betweenPrisma Accessand the Active Directory server or User-ID Agent.
- SelectEnabledto enable Panorama to communicate with the User-ID agent.
- SelectIP User MappingsandHIPto enable Panorama to receive IP address-to-username mappings and GlobalProtect HIP data from all mobile user locations.
- ClickOK.
- Repeat Step 3 for each service connection to which you want to configure HIP report collection.