Prisma Access
Integrate Cloud Identity Engine with Prisma Access
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrate Cloud Identity Engine with Prisma Access
Prisma Access
Integrate the Cloud Identity Engine to implement Directory Sync with Prisma
Access.
Where Can I Use
This? | What Do I
Need? |
---|---|
|
|
Cloud Management
Cloud Management
Cloud Identity Engine (Directory Sync)
gives
Prisma Access
read-only access to your Active Directory information,
so that you can easily set up and manage security and decryption policies for users
and groups. Cloud Identity Engine works with both on-premises Active Directory and Azure Active
Directory.
To set up Cloud Identity Engine with
Prisma Access
, start by going to the
hub to activate Cloud Identity Engine and to add it to Prisma Access
. Then
go to Prisma Access
to validate that Prisma Access
is able to
access directory data.- Activate Cloud Identity EngineCloud Identity Engine can share Active Directory information with any supported app on the hub. It’s free and does not require an auth code to get started. Cloud Identity Engine setup includes activating the Cloud Identity Engine app on the hub, configuring the Cloud Identity Engine agent to gather Active Directory mappings, and configuring mutual authentication between Cloud Identity and and the agent.Make sure to deploy the Cloud Identity Engine instance in the same region that you deployedPrisma Accessand Cortex Data Lake.
- Enable Cloud Identity Engine forPrisma Access.You can associatePrisma Accesswith Cloud Identity Engine when you’re first activatingPrisma Accessor anytime after:
- While you’re activatingWhen you first activate Cloud Managed Prisma Access, you can choose a Cloud Identity Engine instance forPrisma Access:Prisma Accessto use. Make sure to select an instance that is deployed in the same region asPrisma Access.
- After you’ve activatedTo enable Cloud Identity Engine for an existingPrisma Access:Prisma Accessinstance, log in to the hub. From the hub settings dropdown (see the gear on the top menu bar), selectManage Apps. Find thePrisma Accessinstance you want to update, and select the Cloud Identity Engine instance you wantPrisma Accessto use.
Panorama
Panorama
Prisma Access
retrieves user and group information from your organization’s cloud
directory or Active Directory (AD), to enforce user- and group-based policy.
Optionally, Prisma Access
retrieves user behavior-based risk signals from some cloud
directory vendors, such as Azure Active Directory, to enforce automated security
actions. You can simplify the retrieval of user and group information by using the
Cloud Identity Engine.In addition to simplifying user and group information retrieval, integrating the
Cloud Identity Engine with
Prisma Access
can free up the bandwidth and load on your
cloud directory or AD. You can use the Cloud Identity Engine to retrieve user and group information for
Prisma Access
for mobile users, remote networks, or both, by completing the
following steps.The Cloud Identity Engine integration with
Prisma Access
has the following
implementation restrictions:- Make sure that the groups you use with Cloud Identity Engine do not have any of the following special characters, becausePrisma Accessdoes not support the use of following special characters in groups and commit operations will fail:
- " (Double quotes)
- ' (Apostrophe)
- < (less than sign)
- > (greater than sign)
- & (ampersand)
- If you associate Cloud Identity Engine withPrisma Access, your user names must use the NetBIOS format that includes the domain. You can specify usernames in email format (username@domain),NetBIOS\sAMAccountNameformat, or User Principal Name (UPN) format (username@domain.com).
- Enter group names in thedistinguishedNameformat (for example,CN=Users,CN=Builtin,DC=Example,DC=com).
- Cloud Identity Engine does not apply any settings you specify in the group include list (); instead, it retrieves user and group information from your entire configuration, including groups used in all device groups and templates.DeviceUser IdentificationGroup Mapping SettingsGroup Include List
- Create a Cloud Identity Engine instance forPrisma Access, and make a note of the instance name.When you activate the Cloud Identity Engine, it creates an instance. You use the instance name when you associate the Cloud Identity Engine withPrisma Accessin a later step. Optionally, if you need to create a separate instance forPrisma Access, create it and make a note of the instance name.
- Configure the Cloud Identity Engine to retrieve your directory data.
- (Deployments with on-premises Active Directory only) If you use an on-premises Active Directory, Install and configure the Cloud Identity Agent to communicate with your on-premises AD and configure mutual authentication between the Cloud Identity Engine service and the agent.
- Enable the Cloud Identity Engine onPrisma Access.
- On the Panorama that managesPrisma Access, select the username-to-user group mapping setting tab.
- For a Mobile Users—GlobalProtect deployment, select, select the gear icon to edit the settings, then selectPanoramaCloud ServicesConfigurationMobile Users—GlobalProtectGroup Mapping Settings.
- For a Mobile Users—Explicit Proxy deployment, select, select the gear icon to edit the settings, then selectPanoramaCloud ServicesConfigurationMobile Users—Explicit ProxyGroup Mapping Settings.
- For a remote network deployment, select, select the gear icon to edit the settings, then selectPanoramaCloud ServicesConfigurationRemote NetworksGroup Mapping Settings.
- SelectEnable Directory Sync Integrationto enable Cloud Identity Engine withPrisma Access.
- Enter the following information:
- Enter thePrimary Username. This field is required.ThePrimary Usernameattribute controls the formatting that is used in logs and reporting. If the primary username attribute isuserPrincipalName(UPN), all the log and reporting entries display the source user in that format. Many deployments use a format of either UPN,sAMAccountName, ormail. If your organization uses another attribute, you can specify it here to ensure consistency for logging and reporting across your organization.If you configure Azure AD or Okta Directory as the identity provider (IdP) in the Cloud Identity Engine, specify thePrimary UsernameasuserPrincipalName.Prisma Accesssupports the userPrincipalName (UPN) attribute that is used with Azure AD and Okta Directory.
- (Optional) Enter theE-Mailattribute (such asmail).
- (Optional) If you use alternate name attributes for the user, enter them. You can enter up to three alternate user names (Alternate User Name 1,Alternate User Name 2, andAlternate User Name 3).
- ClickOKwhen complete.
- Commit and push () your changes.CommitCommit and Push