Configure User-ID and User-Based Policies with GlobalProtect Cloud Service

GlobalProtect cloud service requires that you configure IP address-to-username mapping to consistently enforce user-based policy for mobile users and users at remote network locations. In addition, you need to configure username to user-group mapping if you want to enforce policy based on group membership.
You can then configure your deployment to allow Panorama to get the list of user groups retrieved from the group mapping, which allows you to easily select these groups from a drop-down list when you create and configure policies in Panorama.
The following sections provide an overview and the steps you perform to configure and implement User-ID in GlobalProtect cloud service.

Configure User-ID in GlobalProtect Cloud Service

This section provides the steps you perform to configure User-ID for GlobalProtect cloud service.
  1. Configure IP address-to-username mapping for your mobile users and users at remote network locations.
  2. Configure username to user-group mapping for your mobile users and users at remote network locations.
    To configure username-to-user group mapping for all users, enable group mapping for mobile users and for users at remote networks using an LDAP server profile.
    We recommend using a Group Include List in the LDAP server profile, so that you can specify which groups you want to retrieve, instead of retrieving all group information.
  3. Allow Panorama to use group mappings in security policies by configuring one or more next-generation on-premise or VM-series firewalls as a Master Device.
    If you don’t configure a Master Device with a GlobalProtect cloud service User-ID deployment, use long form distributed name (DN) entries instead.
  4. Redistribute User-ID mappings between GlobalProtect cloud service and on-premise next-generation firewalls.
    • For mobile users to access a resource from a remote network connection or service connection that has a next-generation firewall with user-based policies, you must redistribute User-ID mappings from GlobalProtect cloud service to the firewall.
    • For users at a location that is secured by a remote network or service connection with an on-premise firewall to access a resource at another branch location that you have secured with GlobalProtect cloud service, you must redistribute User-ID mappings from the on-premise firewall to GlobalProtect cloud service.

Related Documentation