>
    Identity Redistribution
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access User-Based Policy
    4. Identity Redistribution
    Download PDF
    Prisma Access

    Identity Redistribution

    Table of Contents

    Identity Redistribution

    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access
       license
    So that you can enforce your security policy consistently,
    Prisma Access
     shares identity data that GlobalProtect discovers locally across your entire Prisma Access environment.
    Prisma Access
     can also share identity data with on-premises devices at remote network sites or service connection sites (HQ and data centers).
    For mobile users to access a resource at a remote network location or HQ/data center that’s secured by a device with user-based policies, you must redistribute the identity data from the
    Prisma Access
     mobile users and users at remote networks to that on-premises device.
    When the users connect to
    Prisma Access
    ,
    Prisma Access
     collects the user’s identity data and stores it.
    The following example shows two mobile users that have an existing IP address-to-username mapping in
    Prisma Access
    .
    Prisma Access
     then redistributes this mapping by way of a service connection to the on-premises devices that’s securing the HQ/data center.
    Prisma Access (Managed by Strata Cloud Manager)
     automatically enables service connections to work as identity redistribution agents (also called User-ID agents).

    Cloud Management

    So that you can enforce your security policy consistently,
    Prisma Access
     shares identity data that GlobalProtect discovers locally across your entire
    Prisma Access
     environment.
    Prisma Access
     can also share identity data with on-premises devices at remote network sites or service connection sites (HQ and data centers).
    For
    Prisma Access (Managed by Strata Cloud Manager)
    , we’ve enabled some identity data redistribution by default, and for what’s left, we’ve made the configuration to enable redistribution very simple (just select a checkbox to select what data you want to share).
    From the Identity Distribution dashboard, you can see how identity data is being shared and manage data redistribution (
    Manage
    Configuration
    Identity Services
    Identity Redistribution
    .
    If you're using Strata Cloud Manager, go to
    Manage
    Configuration
    NGFW and
    Prisma Access
    Identity Services
    .
    Identity data that you can redistribute includes:
    • HIP data
    • IP-address-to-tag mappings
    • IP-address-to-user mappings
    • User-to-tag mappings
    • Quarantined devices
    Get started with identity redistribution:

    Set Up Identity Redistribution

    Set Up Identity Redistribution
    • Confirm Your Service Connection Setup.
      If you haven’t yet set up a service connection for your HQ or data centers, begin by configuring a service connection. A service connection is required for Prisma Access to share identity data across your environment;
      Prisma Access
       automatically enables service connections to work as redistribution agents. A newly created service connection site will be ready to be used as a redistribution agent when you see that it's been assigned a User-ID agent Address (
      Prisma Access
       does this automatically, and it'll just take a few minutes).
      User-ID Redistribution Management
      —Sometimes, granular controls are needed for user-ID redistribution in particularly large scale
      Prisma Access
       deployments. User-ID Redistribution Management lets you manually disable the default identity redistribution behavior for certain service connections by removing the check mark in the
      User ID
       column, and then select specific service connections to be used for identity redistribution. It's not necessary to do this for most configurations. Contact Palo Alto Networks support to activate this functionality.
      Go to
      Manage
      Configuration
      NGFW and
      Prisma Access
      Identity Services
      Identity Redistribution
       set the configuration scope to
      Service Connections
       to verify the service connection User-ID agent details.
    • Send Identity Data from
      Prisma Access
       to on-premises Devices.
      The service connection’s User-ID agent information is all you need to configure
      Prisma Access
       to distribute identity data to on-premises devices.
      Go to
      Manage
      Configuration
      Identity Services
      Identity Redistribution
       and set the configuration scope to
      Service Connections
       to get the service connection User-ID agent details.
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and
      Prisma Access
      Identity Services
      Identity Redistribution
       set the configuration scope to
      Service Connections
       to get the service connection User-ID agent details.
      Use these details to configure
      Prisma Access
       as a data redistribution agent on Panorama or a Palo Alto Networks NGFW.
    • Send Identity Data from on-premises Devices to
      Prisma Access
      .
      Add on-premises devices to
      Prisma Access
       as redistribution agents; the devices you add will be able to distribute identity data to Prisma Access.
      • From devices at remote network sites:
        Go to the
        Identity Redistribution
         dashboard, set the configuration scope to
        Remote Networks
        , and
        Add Agent
        . In addition to specifying the host details, select the type of data the device shares with
        Prisma Access
        . Optional settings include the name and a pre-shared key for the device.
      • From devices at service connection sites:
        Go to the
        Identity Redistribution
         dashboard, set the configuration scope to
        Service Connections
        , and
        Add Agent
        . In addition to specifying the host details, select the type of data the device shares with
        Prisma Access
        . Optional settings include the name and a pre-shared key for the device.
    • Configure the Terminal Server agent for User Mapping.
      The Terminal Server (TS) agent allocates a port range to each user to identify specific users on Windows-based terminal servers. The TS agent notifies
      Prisma Access
       of the allocated port ranges, so that Prisma Access can enforce policy based on users and user groups.
      On the
      Identity Redistribution
       dashboard, set the configuration scope to
      Remote Networks
      , and
      Add Terminal Server Agent
       under
      Terminal Server Sending to Remote Networks Nodes
      .
      • By default, the configuration is
        Enabled
        .
      • Enter a
        Name
         for the TS agent.
      • Enter the IP address of the Windows
        Host
         on which the TS agent is installed.
      • Enter the
        Port
         number on which the agent listens for user mapping requests. The port is set to 5009 by default.
      • Save
         your changes.
    • Distribute Identity Data Across Your
      Prisma Access
       Environment.
      On the
      Identity Redistribution
       dashboard,
      Edit
       the diagram to specify the identity data you want to collect from each source and share across
      Prisma Access
      .
    • To activate your changes, push the configuration to
      Prisma Access
      .

    Panorama

    Shows the steps you take to redistribute User-ID information from
    Prisma Access
     to an on-premises firewall and from an on-premises firewall to
    Prisma Access
    .
    After you configure User-ID, you consistently enforce user-based policy for all mobile users and users at remote network locations by redistributing the IP address-to-username mapping from
    Prisma Access
     to all next-generation firewalls that secure access to network resources. Use one of the following methods to redistribute IP address-to-username mapping to mobile users and users in remote networks from an on-premises next-generation firewall and vice versa:

    Redistribute User-ID Information From
    Prisma Access
     to an On-Premises Firewall

    Redistribute User-ID Information From
    Prisma Access
     to an on-premises Firewall.
    In cases where mobile users need to access a resource on a remote network location or HQ/data center and the resource is secured by an on-premises next-generation firewall with user-based policies, you must redistribute IP address-to-username mapping from the
    Prisma Access
     mobile users and users at remote networks to the on-premises firewall. When the user connects to Prisma Access, it collects this user-to-IP address mapping and stores it.
    The following figure shows two mobile users who have an existing IP address-to-username mapping in
    Prisma Access
    .
    Prisma Access
     then redistributes this mapping by way of a either a service connection (SC-CAN) or remote network connection (RN-SPN) to the on-premises firewall that secures the HQ/data center.
    Prisma Access
     uses the service connection or remote network connection as an IPSec tunnel that serves as the underlay path to the Layer 3 network. You can use any route path over an IPSec trusted tunnel for privately addressed destinations to redistribute this mapping.
    To redistribute User-ID mappings from
    Prisma Access
     to an on-premises firewall, complete the following steps.
    Make sure you don't apply any SSL decryption on any connection that redistributes user identity to the on-premises firewall (the SC-CAN or RN-SPN), including any firewalls that are in the redistribution path. Alternatively, you can apply a decryption exclusion to the redistribution traffic.
    1. Make a note of the IP address to use when you configure the data redistribution agent.
      • For remote network connections, find the
        EBGP Router
         address (
        Panorama
        Cloud Services
        Status
        Network Details
        Remote Networks
        EBGP Router
        ).
      • For service connections, find the
        User-ID Agent Address
         (
        Panorama
        Cloud Services
        Status
        Network Details
        Service Connection
        User-ID Agent Address
        ).
        If you haven’t yet set up a service connection for your HQ or data centers, begin by configuring a service connection.
        Prisma Access
         uses service connections to share identity data across your environment;
        Prisma Access
         automatically enables service connections to work as redistribution agents. A newly created service connection site will be ready to be used as a redistribution agent when you see that it's been assigned a User-ID agent Address (
        Prisma Access
         does this automatically, and it'll just take a few minutes).
        User-ID Redistribution Management
        —Sometimes, granular controls are needed for user-ID redistribution in particularly large scale
        Prisma Access
         deployments. User-ID Redistribution Management lets you manually disable the default identity redistribution behavior for certain service connections by removing the check mark in the
        User ID
         column, and then select specific service connections to be used for identity redistribution. It's not necessary to do this for most configurations. Contact Palo Alto Networks support to activate this functionality.
    2. Configure
      Prisma Access
       as a User-ID agent that redistributes user mapping information.
      1. In the Panorama that manages
        Prisma Access
        , select
        Device
        Data Redistribution
        Collector Settings
        .
        To configure the collector on a service connection, select the
        Service_Conn_Template
        ; to configure the collector on a remote network connection, select the
        Remote_Network_Template.
      2. Click the gear icon to edit the settings.
      3. Provide a
        Collector Name
         and a
        Collector Pre-Shared Key
         to identify
        Prisma Access
         as a User-ID agent.
      4. Click
        OK
         to save your changes.
    3. Configure the on-premises firewall to collect the User-ID mapping from
      Prisma Access
      .
      1. From the on-premises firewall, select
        Device
        Data Redistribution
        Agents
        .
      2. Add
         a User-ID agent and give it a
        Name
        .
      3. Select
        Host and Port
        .
      4. Enter the
        User-ID Agent Address
         (for a service connection) or
        EBGP Router Address
         (for a remote network connection) from
        Prisma Access
         in the
        Host
         field.
      5. Enter the
        Collector Name
         and
        Collector Pre-Shared Key
         for the Prisma Access collector you created earlier in the procedure.
      6. Select
        IP User Mappings
        .
      7. Click
        OK
        .
      8. Repeat these steps for each service connection or remote network connection for which you want to redistribute mappings.

    Redistribute User-ID Information From an On-Premises Firewall to Prisma Access

    Redistribute User-ID Information From an on-premises Firewall to
    Prisma Access
    .
    In cases where users are at a branch location or HQ that is secured by an on-premises next-generation firewall with user-based policies, and they need to access resources at another branch location that you have secured with Prisma Access, you must redistribute IP address-to-user name mappings from the on-premises firewall to
    Prisma Access
    .
    The following figure shows an HQ/Data center with an on-premises next-generation firewall with existing IP address-to-username mapping.
    Prisma Access
     connects to the firewall with either a service connection (SC-CAN) or remote network connection (RN-SPN), and the on-premises firewall redistributes the mapping to
    Prisma Access
    .
    The following figure shows a
    Prisma Access
     service connection or remote network connection being used to redistribute the mapping. You can use any route path over an IPSec trusted tunnel for privately addressed destinations to redistribute this mapping.
    To redistribute User-ID mappings from an on-premises firewall to
    Prisma Access
    , complete the following steps.
    1. Configure the on-premises firewall to redistribute User-ID information to
      Prisma Access
      .
      1. From the on-premises firewall, select
        Device
        Data Redistribution
        Collector Settings
        .
      2. Click the gear icon to edit the settings.
      3. Provide a
        Collector Name
         and a
        Collector Pre-Shared Key
         to identify the on-premises firewall as a User-ID agent.
      4. Click
        OK
         to save your changes.
    2. Configure
      Prisma Access
       to collect the User-ID mapping from the on-premises firewall.
      1. From the Panorama that manages
        Prisma Access
        , select
        Device
        Data Redistribution
        Agents
        .
        Make sure that you have selected the
        Service_Conn_Template
         (for service connections) or the
        Remote_Network_Template
         (for remote network connections) in the
        Templates
         drop-down at the top of the page.
      2. Add
         a User-ID agent and give it a
        Name
        .
      3. Select
        Host and Port
        .
      4. Enter the IP address of the MGT interface or service route that the firewall uses to send user mappings in the
        Host
         field.
        For the MGT interface, you can enter a hostname instead of the IP address.
      5. Enter the
        Collector Name
         and
        Collector Pre-Shared Key
        , using the values for the collector you used for the on-premises firewall in Step 1.
      6. Select
        IP User Mappings
        .
      7. Click
        OK
        .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.