Preserve User-ID and Device-ID Mapping for Service Connections with Source NAT
Focus
Focus
Prisma Access

Preserve User-ID and Device-ID Mapping for Service Connections with Source NAT

Table of Contents

Preserve User-ID and Device-ID Mapping for Service Connections with Source NAT

Learn how to preserve the user-ID and device-ID mapping for GlobalProtect users who are accessing apps behind a data center with a next-generation firewall.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access license
  • Next-generation firewall (NGFW) running a minimum version of PAN-OS 11.2
  • This functionality uses Geneve encapsulation. Make sure that any downstream firewalls in addition to the NGFWs running PAN-OS 11.2 or later are able to decapsulate Geneve encapsulation.
This functionality is not supported with Dynamic Privilege Access.
You use service connections, also known as service connection—corporate access nodes (SC-CANs), in Prisma Access to secure private apps. To limit access to the apps based on User-ID or Device-ID, you can deploy a Next-Generation Firewall (NGFW) in the data center or headquarters location where the private apps are located; then, configure policy rules on the NGFW based on User-ID mapping, Device-ID mapping, or both.
To use these rules, the NGFW must receive the User- or Device-ID mapping from the SC-CAN; however, if users are connecting to Prisma Access using GlobalProtect and the SC-CAN has Data Traffic source NAT enabled, the NGFW can't obtain this mapping. If Data Traffic source NAT is enabled on the SC-CAN, it performs NAT on the Mobile User IP address pool and does not advertise those IP addresses in the data center or headquarters location.
In this case, the NGFW can't retrieve the GlobalProtect users' User- or Device-ID, which means that you can't enforce policy based on User- or Device-ID.
To make sure that your network distributes the User- or Device-ID mapping to the headquarters or data center, complete the procedure listed in one of the following sections, which allows the NGFW to enforce security policy rules based on the User-ID mapping it learns from GlobalProtect.
An NGFW with a minimum PAN-OS version of 11.2 is required. The service connection does not have to terminate on the NGFW and can terminate on another IPSec-capable device, as long as the NGFW is downstream from where the service connection is terminated.

Preserve User and Device-ID Mapping for Service Connections with Source NAT (Strata Cloud Manager)

To have Prisma Access distribute User-ID mappings from GlobalProtect users to an NGFW at the headquarters or data center in Prisma Access (Managed by Strata Cloud Manager), complete the following steps.
This procedure assumes that you have the following network configuration in place:
  • You have enabled Data Traffic source NAT on the service connection.
  • You have deployed an NGFW at the headquarters or data center where the private apps are located.
  • You have applied security policy rules for Prisma Access on the NGFW based on zones you have created in the NGFW.
  1. Enter Pre-NAT Identification parameters on the NGFW.
    1. Log in to the NGFW, or log into the SCM or Panorama that manages the NGFW, and go to NetworkZones.
    2. Add a zone or select an existing zone.
    3. Select one or more Pre-NAT Identification parameters:
      • User-ID—Preserves the mobile user User-ID mapping used before the IP addresses were NATted. Enable this if you're using User-IDs in security policy rules.
      • Device-ID—Preserves the mobile user Device-ID mapping used before the IP addresses were NATted. Enable this if you're using Device-ID in security policy rules.
      • Source Lookup—Enables you to match the original Source IP address received from GlobalProtect. If you're using source lookup in QoS or policy-based forwarding (PBF) policies, the source IP comparison is based on the pre-NAT source IP address. For example, if you had a security policy that allowed a source IP address of 1.1.1.1 and a destination IP address of Any, 1.1.1.1 is compared with the pre-NAT source IP address in the packet header.
      • Enable Original ID Downstream—If you have two NGFWs in a row, specify this option to have the first NGFW send the pre-NAT information to the second NGFW after the first NGFW has inspected the traffic and applied policies to it. This is the default configuration on SC-CANs.
    4. Click OK and Commit your changes.
  2. Create a command-line interface (CLI) session with the NGFW and enter the following command in configuration mode:
    set deviceconfig setting preserve-prenat-feature yes
    If you need to disable this feature in the future, enter set deviceconfig setting preserve-prenat-feature no.
  3. Enable pre-NAT settings in Strata Cloud Manager.
    1. Go to WorkflowsPrisma Access SetupPrisma AccessInfrastructure Settings.
    2. Enable Preserve pre-NAT (User-ID/Device-ID).
    3. Push Config to save your changes.

Preserve User and Device-ID Mapping for Service Connections with Source NAT (Panorama)

To have Prisma Access distribute User-ID mappings from GlobalProtect users to an NGFW at the headquarters or data center in Prisma Access (Managed by Panorama), complete the following steps.
This procedure assumes that you have the following network configuration in place:
  • You have enabled Data Traffic source NAT on the service connection.
  • You have deployed an NGFW at the headquarters or data center where the private apps are located.
  • You have applied security policy rules for Prisma Access on the NGFW based on zones you have created in the NGFW.
  1. Enter Pre-NAT Identification parameters on the NGFW.
    1. Log in to the NGFW, or log into the SCM or Panorama that manages the NGFW, and go to NetworkZones.
    2. Add a zone or select an existing zone.
    3. Select one or more Pre-NAT Identification parameters:
      • User-ID—Preserves the mobile user User-ID mapping used before the IP addresses were NATted. Enable this if you're using User-IDs in security policy rules.
      • Device-ID—Preserves the mobile user Device-ID mapping used before the IP addresses were NATted. Enable this if you're using Device-ID in security policy rules.
      • Source Lookup—Enables you to match the original Source IP address received from GlobalProtect. If you're using source lookup in QoS or policy-based forwarding (PBF) policies, the source IP comparison is based on the pre-NAT source IP address. For example, if you had a security policy that allowed a source IP address of 1.1.1.1 and a destination IP address of Any, 1.1.1.1 is compared with the pre-NAT source IP address in the packet header.
      • Enable Original ID Downstream—If you have two NGFWs in a row, specify this option to have the first NGFW send the pre-NAT information to the second NGFW after the first NGFW has inspected the traffic and applied policies to it. This is the default configuration on SC-CANs.
    4. Click OK and Commit your changes.
  2. Create a command-line interface (CLI) session with the NGFW and enter the following command in configuration mode:
    set deviceconfig setting preserve-prenat-feature yes
    If you need to disable this feature in the future, enter set deviceconfig setting preserve-prenat-feature no.
  3. From the Panorama that manages Prisma Access, enable pre-NAT settings.
    1. Go to PanoramaCloud ServicesConfigurationService Setup and click the gear to edit the Settings.
    2. Select Preserve pre-NAT (User-ID/Device-ID).
    3. Commit and Push your changes.