Prisma Access
Prisma Access User-Based Policy
Table of Contents
Prisma Access User-Based Policy
Enforce user-based policy using Prisma Access.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Prisma Access requires that you configure IP address-to-username mapping to consistently
enforce user-based policy for mobile users and users at remote network locations. In
addition, you need to configure username to user-group mapping if you want to
enforce policy based on group membership.
To select the groups from a drop-down list when you create and configure policies in
Panorama, you can also configure Panorama to obtain the list of user groups retrieved
from the username-to-user group mapping.
The following sections provide an overview and the steps you perform to configure and
implement User-ID and use the Cloud Identity Engine to get IP address-to-username and
username-to-user group mapping in Prisma Access.
Configure User-Based Policy for Prisma Access
Prisma Access User-Based Policy (Strata Cloud Manager)
Configure user-based policy for Prisma Access Strata Cloud Manager.
After integrating Cloud Identity Engine with Prisma Access, you must confirm that
Prisma Access is connected to Cloud Identity Engine, and that Cloud Identity
Engine is sharing directory information with Prisma Access.
- Check that you can see your directories in Prisma Access.Go to .Verify that you can add users and groups to a policy rule.Select .In a security or decryption policy rule, check that the Users dropdown displays your Active Directory user and group entries. Now you can start adding these users and groups to your security and decryption policy rules.
When you've confirmed that Cloud Identity Engine is successfully connected, you can begin running user activity reports to gain greater visibility into the behavior of your user base.
Prisma Access User-Based Policy (Panorama)
Set up user-ID mapping in Prisma Access (Managed by Panorama).
This section provides the steps you perform
to configure User-ID for Prisma Access.
- Configure IP address-to-username mapping for your mobile users and users at remote network locations.
- For Mobile Users—GlobalProtect deployments, the GlobalProtect agent in Prisma Access automatically performs User-ID mapping.
- For users at remote networks, Configure User-ID for Remote Network Deployments to map IP addresses to User IDs.
Configure username-to-user group mapping for your mobile users and users at remote network locations.For Mobile Users—GlobalProtect, Explicit Proxy, and remote network deployments, configure the Directory Sync component of the Cloud Identity Engine to retrieve user and group information from your Active Directory (AD); then, configure Group Mapping Settings in your Mobile Users—GlobalProtect or remote network deployment.Alternatively, you can enable username-to-user group mapping for mobile users and users at remote networks using an LDAP server profile.We recommend using a Group Include List in the LDAP server profile, so that you can specify which groups you want to retrieve, instead of retrieving all group information.Allow Panorama to use username-to-user group mapping in security policies by completing one of the following actions:- Configure the Directory Sync component of the Cloud Identity Engine to retrieve user and group information from your Active Directory (AD); then, configure Group Mapping Settings in your Mobile Users—GlobalProtect, Mobile Users—Explicit Proxy, or remote network deployment.
- Configure group-based policy by specifying the full distinguished name (DN) of the group.
