Prisma Access
Master Device
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Master Device
Use a next-generation or VM-series firewall as a Master
Device to add group names to security policy rules in a Panorama
Managed
Prisma Access
deployment.While configuring Group Mapping in the Cloud Identity Engine
performs username-to-user group mapping, those usernames and user groups do not populate
to security policies. To simplify the creation or modification of user- and group-based
policies, you can use a Master Device to add the group names to drop-down lists in
security policy rules. You need to designate a firewall as a Master Device for each
device group. After you add a Master Device, the device group inherits all policies
defined on the master device; for this reason, it should be a standalone, dedicated
device to be used for that device group.
To allow selection of group names in drop-down lists in security
policies, Palo Alto Networks recommends that you designate a
Master Device
for
each device group. You can configure either an on-premises firewall
or a VM-series firewall as a master device.The following figure shows a User-ID deployment where the administrator
has configured an on-premises device as a
Master Device
.
Callouts in the figure show the process.- A next-generation on-premises or VM-series firewall that the administrator has configured as a Master Device retrieves the latest username-to-user group mapping from the LDAP server and User-ID agent in the data center.
- Panorama gets the username-to-user group mapping from the Master Device.Panorama uses this mapping only for the purposes of populating the group names in drop-down lists in security policies, thus simplifying the creation of policies based on groups.
Configure an on-premises or VM-Series Firewall as a Master Device
Use the following procedure to configure an on-premises or VM-series firewall as
a Master Device.
You can only use one Master Device per device group; if you need to configure
a Master Device for different device groups, you need to create a separate
Master Device for each device group.
- Make sure that the device you want to use as a Master Device is managed by the same Panorama that managesPrisma Access.You can check your managed devices under.PanoramaManaged Devices
- Add the master device to yourPrisma Accessmobile user or remote network deployment.
- For a Mobile Users—GlobalProtect deployment, select, click the gear icon in thePanoramaCloud ServicesConfigurationMobile Users—GlobalProtectSettings, and select the on-premise firewall you want to specify as aMaster Device.If you use the defaultDevice Group Name(Mobile_User_Device_Groupin this case) andParent Device Group(Sharedin this case), any devices that are not associated with another device group display in the drop-down choices. If you have associated the master device with another device group, select theParent Device Groupassociated with that device group have it display in the drop-down.
- For a Mobile Users—Explicit Proxy deployment, select, click the gear icon in thePanoramaCloud ServicesConfigurationMobile Users—Explicit ProxySettings, and select theMaster Deviceyou created.
- For remote network deployments, the device group with a remote network connection, select, click the gear icon in thePanoramaCloud ServicesConfigurationRemote NetworksSettings, and select theMaster Deviceyou created.
Prisma Accessautomatically populates username-to-user group mapping for the device group that is associated with the master device only. For this example, the auto-population would occur only in theRemote_Network_Device_Groupdevice group and would not populate to any other device groups. - ClickOK.