How to configure HIP redistribution in a Panorama Managed
Prisma Access deployment.
To allow Prisma Access to collect and redistribute
HIP information, complete the following task.
Allow Prisma Access to redistribute HIP information.
In Panorama, select
Panorama
Cloud Services
Configuration
Service Setup
.
Click the gear icon to edit the settings.
In the
Advanced
tab, select
Enable
HIP Redistribution
.
Enabling HIP Redistribution enables Prisma Access to redistribute
the HIP reports received from the GlobalProtect app to internal
firewalls and to Panorama.
Configure Panorama to receive HIP reports from Prisma
Access.
Select
Panorama
Setup
Interfaces
.
Select the
Management
interface.
Select
User-ID
.
Configure
Panorama to collect the User-ID mapping from Prisma Access.
From the Panorama that manages Prisma Access,
select
Panorama
Data
Redistribution
Agents
(for
Panorama 10.
x
appliances) or
Panorama
User Identification
User-ID Agents
(for
9.1.
x
Panorama appliances).
Add
a User-ID Agent and give
it a
Name
.
Enter one of the following values in the
Host
field,
depending on the types of HIP information you want to collect.
To collect HIP information for mobile users, enter
the
User-ID Agent Address
(
Panorama
Cloud Services
Status
Network Details
Service Connection
User-ID Agent Address
).
To collect HIP information from users at a remote network
locations with an internal gateway, enter the IP address of the
internal gateway.
To collect HIP information from users are a remote network
connection, enter the
EBGP Router
address (
Panorama
Cloud Services
Status
Network Details
Remote Networks
EBGP Router
as
the User-ID host.
Enter
5007
in the port field.
By default, the User-ID agent uses port 5007 to listen
for HIP information requests.
Make sure that your network
does not block access to this port between Prisma Access and the
Active Directory server or User-ID Agent.
Select
Enabled
to enable Panorama
to communicate with the User-ID agent.
Select
IP User Mappings
and
HIP
to enable
Panorama to receive IP address-to-username mappings and GlobalProtect
HIP data from all mobile user locations.
Click
OK
.
Repeat Step 3 for each
service connection to which you want to configure HIP report collection.