Learn how to preserve the user-ID and device-ID mapping for GlobalProtect users who
are accessing apps behind a data center with a next-generation firewall.
| Where Can I Use
This? | What Do I Need? |
|---|
|
|
Prisma Access license - Next-generation firewall (NGFW) running a minimum version of
PAN-OS 11.2
- This functionality uses Geneve encapsulation. Make sure that
any downstream firewalls in addition to the NGFWs running
PAN-OS 11.2 or later are able to decapsulate Geneve
encapsulation.
|
You use
service connections, also known as service
connection—corporate access nodes (SC-CANs), in Prisma Access to secure private
apps. To limit access to the apps based on User-ID or Device-ID, you can deploy a
Next-Generation Firewall (NGFW) in the data center or headquarters location where
the private apps are located; then, configure policy rules on the NGFW based on
User-ID mapping, Device-ID mapping, or both.
To use these rules, the NGFW must receive the User- or Device-ID mapping from the
SC-CAN; however, if users are connecting to Prisma Access using GlobalProtect and
the SC-CAN has Data Traffic source NAT enabled, the NGFW
can't obtain this mapping. If Data Traffic source NAT is
enabled on the SC-CAN, it performs NAT on the Mobile User IP address pool and does
not advertise those IP addresses in the data center or headquarters location.
In this case, the NGFW can't retrieve the GlobalProtect users' User- or Device-ID,
which means that you can't enforce policy based on User- or Device-ID.
To make sure that your network distributes the User- or Device-ID mapping to the
headquarters or data center, complete the procedure listed in one of the following
sections, which allows the NGFW to enforce security policy rules based on the
User-ID mapping it learns from GlobalProtect.
An NGFW with a minimum PAN-OS version of 11.2 is required.
The service connection does not have to terminate on the NGFW and can terminate on
another IPSec-capable device, as long as the NGFW is downstream from where the
service connection is terminated.
Preserve User and Device-ID Mapping for Service Connections with Source NAT (Strata Cloud Manager)
Configure IPv6 availability for your Mobile Users—GlobalProtect deployments in Strata
Cloud Manager.
To have Prisma Access distribute User-ID mappings from GlobalProtect users to an NGFW
at the headquarters or data center in Prisma Access (Managed by Strata Cloud Manager), complete the
following steps.
This procedure assumes that you have the following network configuration in
place:
- You have enabled Data Traffic source NAT on the service
connection.
- You have deployed an NGFW at the headquarters or data center where the private
apps are located.
- You have applied security policy rules for Prisma Access on the NGFW based on
zones you have created in the NGFW.
Enter Pre-NAT Identification parameters on the NGFW.
Log in to the NGFW, or log into the SCM or Panorama that manages the
NGFW, and go to .
Add a zone or select an existing zone.
Select one or more
Pre-NAT Identification
parameters:
- User-ID—Preserves the mobile user User-ID
mapping used before the IP addresses were NATted. Enable this if
you're using User-IDs in security policy rules.
- Device-ID—Preserves the mobile user
Device-ID mapping used before the IP addresses were NATted.
Enable this if you're using Device-ID in security policy
rules.
- Source Lookup—Enables you to match the
original Source IP address received from GlobalProtect. If
you're using source lookup in QoS or policy-based forwarding
(PBF) policies, the source IP comparison is based on the pre-NAT
source IP address. For example, if you had a security policy
that allowed a source IP address of 1.1.1.1 and a destination IP
address of Any, 1.1.1.1 is compared with the pre-NAT source IP
address in the packet header.
- Enable Original ID Downstream—If you have
two NGFWs in a row, specify this option to have the first NGFW
send the pre-NAT information to the second NGFW after the first
NGFW has inspected the traffic and applied policies to it. This
is the default configuration on SC-CANs.
Click
OK and
Commit your
changes.
Create a command-line interface (CLI) session with the NGFW and enter the
following command in configuration mode:
set deviceconfig setting preserve-prenat-feature yesIf
you need to disable this feature in the future, enter set
deviceconfig setting preserve-prenat-feature no.
Enable pre-NAT settings in Strata Cloud Manager.
Go to .
Enable
Preserve pre-NAT (User-ID/Device-ID).
Push Config to save your changes.
Preserve User and Device-ID Mapping for Service Connections with Source NAT (Panorama)
Configure IPv6 availability for your Mobile Users—GlobalProtect deployments in
Panorama.
To have Prisma Access distribute User-ID mappings from GlobalProtect users to an NGFW
at the headquarters or data center in Prisma Access (Managed by Panorama), complete the
following steps.
This procedure assumes that you have the following network configuration in
place:
- You have enabled Data Traffic source NAT on the service
connection.
- You have deployed an NGFW at the headquarters or data center where the private
apps are located.
- You have applied security policy rules for Prisma Access on the NGFW based on
zones you have created in the NGFW.
Enter Pre-NAT Identification parameters on the NGFW.
Log in to the NGFW, or log into the SCM or Panorama that manages the
NGFW, and go to .
Add a zone or select an existing zone.
Select one or more
Pre-NAT Identification
parameters:
- User-ID—Preserves the mobile user User-ID
mapping used before the IP addresses were NATted. Enable this if
you're using User-IDs in security policy rules.
- Device-ID—Preserves the mobile user
Device-ID mapping used before the IP addresses were NATted.
Enable this if you're using Device-ID in security policy
rules.
- Source Lookup—Enables you to match the
original Source IP address received from GlobalProtect. If
you're using source lookup in QoS or policy-based forwarding
(PBF) policies, the source IP comparison is based on the pre-NAT
source IP address. For example, if you had a security policy
that allowed a source IP address of 1.1.1.1 and a destination IP
address of Any, 1.1.1.1 is compared with the pre-NAT source IP
address in the packet header.
- Enable Original ID Downstream—If you have
two NGFWs in a row, specify this option to have the first NGFW
send the pre-NAT information to the second NGFW after the first
NGFW has inspected the traffic and applied policies to it. This
is the default configuration on SC-CANs.
Click
OK and
Commit your
changes.
Create a command-line interface (CLI) session with the NGFW and enter the
following command in configuration mode:
set deviceconfig setting preserve-prenat-feature yesIf
you need to disable this feature in the future, enter set
deviceconfig setting preserve-prenat-feature no.
From the Panorama that manages Prisma Access, enable pre-NAT settings.
Go to and click the gear to edit the
Settings.
Select
Preserve pre-NAT
(User-ID/Device-ID).
Commit and Push your changes.
