Configure User-ID for Remote Network Deployments
Focus
Focus

Configure User-ID for Remote Network Deployments

Table of Contents

Configure User-ID for Remote Network Deployments

Prisma Access requires that you configure IP address-to-username mapping to consistently enforce user-based policy for users at remote network locations. In addition, you need to configure username to user-group mapping if you want to enforce policy based on group membership.
You can then configure your deployment to allow Panorama to retrieve the list of user groups retrieved from the username-to-user group mapping, which allows you to easily select these groups from a drop-down list when you create and configure policies in Panorama.
To configure User-ID collection and redistribution for users who are protected by Prisma Access remote networks, use the following methods to enable user-based access and visibility to applications and resources:
  1. Map IP addresses to users in Prisma Access.
    • To map users as they log in to your Exchange servers, domain controllers, eDirectory servers, or Windows clients you must configure a User-ID agent:
      • You can configure the agent on either a service connection or a remote network connection.
        To configure the agent on a remote network connection, select the Remote_Network_Template when you create the agent.
        Optionally, to configure the agent on a service connection, select the Service_Conn_Template.
        If you configure the agent on a service connection, you need to perform additional steps to redistribute that information to the remote network; to do so, create a Data Redistribution Agent in the Remote_Network_Template and specify the User-ID Agent Address (PanoramaCloud ServicesStatusNetwork DetailsService ConnectionUser-ID Agent Address) in the Host field.
      Whatever mapping method you use applies to all remote network connections across your deployment.
    • If you have users with client systems that aren’t logged in to your domain servers—for example, users running Linux clients that don’t log in to the domain—you can Map IP Addresses to Usernames Using Authentication Portal (formerly Captive Portal).
      Kerberos is not supported for use with Authentication Portal in conjunction with Prisma Access.
      To perform IP to User Mapping using Authentication portal, Palo Alto Networks recommends that you associate a local DNS entry with the Captive Portal Redirect IP Address (PanoramaCloud ServicesStatusNetwork DetailsService InfrastructureCaptive Portal Redirect IP Address.
    • To obtain user mappings from existing network services that authenticate users—such as wireless controllers, 802.1x devices, Apple Open Directory servers, proxy servers, or other Network Access Control (NAC) mechanisms—Configure User-ID to Monitor Syslog Senders for User Mapping.
      While you can configure either the Windows agent or the PAN-OS integrated User-ID agent on to listen for authentication syslog messages from the network services, because only the PAN-OS integrated agent supports syslog listening over TLS, it is the preferred configuration.
    • To include the username and domain in the headers for outgoing traffic so other devices in your network can identify the user and enforce user-based policy, you can Insert Username in HTTP Headers.
  2. Configure username-to-user group mapping for your mobile users and users at remote network locations.
  3. Allow Panorama to populate username-to-user group mapping in drop-down lists in security policies by completing one of the following actions:
  4. (Optional) If you have on-premise firewalls in your deployment, redistribute the user-ID information from Prisma Access to on-premise firewalls and from on-premise firewalls to Prisma Access.