Panorama

Configure IP address-to-username mapping for your mobile users and users at remote network locations.
For Mobile Users—GlobalProtect deployments, the GlobalProtect agent in
Prisma Access
automatically performs User-ID mapping.
For users at remote networks, Configure User-ID for Remote Network Deployments to map IP addresses to User IDs.
Configure username-to-user group mapping for your mobile users and users at remote network locations.
For Mobile Users—GlobalProtect, Explicit Proxy, and remote network deployments, configure the Directory Sync component of the Cloud Identity Engine to retrieve user and group information from your Active Directory (AD); then, configure
Group Mapping Settings
in your Mobile Users—GlobalProtect or remote network deployment.
Alternatively, you can enable username-to-user group mapping for mobile users and users at remote networks using an LDAP server profile.
We recommend using a Group Include List in the LDAP server profile, so that you can specify which groups you want to retrieve, instead of retrieving all group information.
Allow Panorama to use username-to-user group mapping in security policies by completing one of the following actions:
Configure the Directory Sync component of the Cloud Identity Engine to retrieve user and group information from your Active Directory (AD); then, configure
Group Mapping Settings
in your Mobile Users—GlobalProtect, Mobile Users—Explicit Proxy, or remote network deployment.
Configure group-based policy by specifying the full distinguished name (DN) of the group.
Redistribute HIP information to Panorama.