Prisma Access User-Based Policy
Focus
Focus
Prisma Access

Prisma Access User-Based Policy

Table of Contents

Prisma Access User-Based Policy

Enforce user-based policy using Prisma Access.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Cloud Identity Engine
  • Prisma Access license
Prisma Access requires that you configure IP address-to-username mapping to consistently enforce user-based policy for mobile users and users at remote network locations. In addition, you need to configure username to user-group mapping if you want to enforce policy based on group membership.
To select the groups from a drop-down list when you create and configure policies in Panorama, you can also configure Panorama to obtain the list of user groups retrieved from the username-to-user group mapping.
The following sections provide an overview and the steps you perform to configure and implement User-ID and use the Cloud Identity Engine to get IP address-to-username and username-to-user group mapping in Prisma Access.

Configure User-Based Policy for Prisma Access

Prisma Access User-Based Policy (Strata Cloud Manager)

After integrating Cloud Identity Engine with Prisma Access, you must confirm that Prisma Access is connected to Cloud Identity Engine, and that Cloud Identity Engine is sharing directory information with Prisma Access.
  • Check that you can see your directories in Prisma Access.
    Go to ManageConfigurationIdentity ServicesCloud Identity Engine.
    If you're using Strata Cloud Manager, go to ManageConfigurationNGFW and Prisma AccessIdentity ServicesCloud Identity Engine.
  • Verify that you can add users and groups to a policy rule.
    Select ManageSecurity ServicesSecurity or Decryption.
    If you're using Strata Cloud Manager, go to ManageConfigurationNGFW and Prisma AccessSecurity ServicesDecryption.
    In a security or decryption policy rule, check that the Users dropdown displays your Active Directory user and group entries. Now you can start adding these users and groups to your security and decryption policy rules.
When you've confirmed that Cloud Identity Engine is successfully connected, you can begin running user activity reports to gain greater visibility into the behavior of your user base.

Prisma Access User-Based Policy (Panorama)

Set up user-ID mapping in Prisma Access (Managed by Panorama).
This section provides the steps you perform to configure User-ID for Prisma Access.
  1. Configure IP address-to-username mapping for your mobile users and users at remote network locations.
  2. Configure username-to-user group mapping for your mobile users and users at remote network locations.
    For Mobile Users—GlobalProtect, Explicit Proxy, and remote network deployments, configure the Directory Sync component of the Cloud Identity Engine to retrieve user and group information from your Active Directory (AD); then, configure Group Mapping Settings in your Mobile Users—GlobalProtect or remote network deployment.
    Alternatively, you can enable username-to-user group mapping for mobile users and users at remote networks using an LDAP server profile.
    We recommend using a Group Include List in the LDAP server profile, so that you can specify which groups you want to retrieve, instead of retrieving all group information.
  3. Allow Panorama to use username-to-user group mapping in security policies by completing one of the following actions: