Configure HIP Redistribution in Prisma Access
Focus
Focus

Configure HIP Redistribution in Prisma Access

Table of Contents

Configure HIP Redistribution in Prisma Access

How to configure HIP redistribution in a Panorama Managed Prisma Access deployment.
To allow Prisma Access to collect and redistribute HIP information, complete the following task.
  1. Allow Prisma Access to redistribute HIP information.
    1. In Panorama, select PanoramaCloud ServicesConfigurationService Setup.
    2. Click the gear icon to edit the settings.
    3. In the Advanced tab, select Enable HIP Redistribution.
      Enabling HIP Redistribution enables Prisma Access to redistribute the HIP reports received from the GlobalProtect app to internal firewalls and to Panorama.
  2. Configure Panorama to receive HIP reports from Prisma Access.
    1. Select PanoramaSetupInterfaces.
    2. Select the Management interface.
    3. Select User-ID.
  3. Configure Panorama to collect the User-ID mapping from Prisma Access.
    1. From the Panorama that manages Prisma Access, select PanoramaData RedistributionAgents (for Panorama 10.x appliances) or PanoramaUser IdentificationUser-ID Agents (for 9.1.x Panorama appliances).
    2. Add a User-ID Agent and give it a Name.
    3. Enter one of the following values in the Host field, depending on the types of HIP information you want to collect.
      • To collect HIP information for mobile users, enter the User-ID Agent Address (PanoramaCloud ServicesStatusNetwork DetailsService ConnectionUser-ID Agent Address).
      • To collect HIP information from users at a remote network locations with an internal gateway, enter the IP address of the internal gateway.
      • To collect HIP information from users are a remote network connection, enter the EBGP Router address (PanoramaCloud ServicesStatusNetwork DetailsRemote NetworksEBGP Router as the User-ID host.
    4. Enter 5007 in the port field.
      By default, the User-ID agent uses port 5007 to listen for HIP information requests.
      Make sure that your network does not block access to this port between Prisma Access and the Active Directory server or User-ID Agent.
    5. Select Enabled to enable Panorama to communicate with the User-ID agent.
    6. Select IP User Mappings and HIP to enable Panorama to receive IP address-to-username mappings and GlobalProtect HIP data from all mobile user locations.
    7. Click OK.
  4. Repeat Step 3 for each service connection to which you want to configure HIP report collection.