Configure User-ID for Remote Network Deployments
Table of Contents
Configure User-ID for Remote Network Deployments
Prisma Access requires that you configure
IP address-to-username mapping to consistently enforce user-based
policy for users at remote network locations. In addition, you need
to configure username to user-group mapping if
you want to enforce policy based on group membership.
You
can then configure your deployment to allow Panorama to retrieve
the list of user groups retrieved from the username-to-user group
mapping, which allows you to easily select these groups from a drop-down
list when you create and configure policies in Panorama.
To
configure User-ID collection and redistribution for users who are
protected by Prisma Access remote networks, use the following methods
to enable user-based access and visibility to applications and resources:
- Map IP addresses to users in Prisma Access.
- To map users as they log in to your Exchange servers, domain controllers, eDirectory servers, or Windows clients you must configure a User-ID agent:
- You can configure the agent on either a service connection or a remote network connection.To configure the agent on a remote network connection, select the Remote_Network_Template when you create the agent.
Optionally, to configure the agent on a service connection, select the Service_Conn_Template.If you configure the agent on a service connection, you need to perform additional steps to redistribute that information to the remote network; to do so, create a Data Redistribution Agent in the Remote_Network_Template and specify the User-ID Agent Address () in the Host field.
Whatever mapping method you use applies to all remote network connections across your deployment. - If you have users with client systems that aren’t logged in to your domain servers—for example, users running Linux clients that don’t log in to the domain—you can Map IP Addresses to Usernames Using Authentication Portal (formerly Captive Portal).Kerberos is not supported for use with Authentication Portal in conjunction with Prisma Access.To perform IP to User Mapping using Authentication portal, Palo Alto Networks recommends that you associate a local DNS entry with the Captive Portal Redirect IP Address (.
- To obtain user mappings from existing network services that authenticate users—such as wireless controllers, 802.1x devices, Apple Open Directory servers, proxy servers, or other Network Access Control (NAC) mechanisms—Configure User-ID to Monitor Syslog Senders for User Mapping.While you can configure either the Windows agent or the PAN-OS integrated User-ID agent on to listen for authentication syslog messages from the network services, because only the PAN-OS integrated agent supports syslog listening over TLS, it is the preferred configuration.
- To include the username and domain in the headers for outgoing traffic so other devices in your network can identify the user and enforce user-based policy, you can Insert Username in HTTP Headers.
- Configure username-to-user group mapping for your mobile users and users at remote network locations.
- Configure the Directory Sync component of the Cloud Identity Engine to retrieve user and group information from the supported directory types; then, configure Group Mapping Settings in your remote network deployment.
- Alternatively, you can enable group mapping using an LDAP server profile.
- Allow Panorama to populate users and groups drop-down lists in security policies by completing one of the following actions:
- Configure one or more next-generation firewalls or the Cloud Identity Engine to populate usernames and user groups in security policies.
- Configure group-based policy by specifying the full distinguished name (DN) of the group.
- (Optional) If you have on-premise firewalls in your deployment, redistribute the user-ID information from Prisma Access to on-premise firewalls and from on-premise firewalls to Prisma Access.
