Prisma Access requires that you configure
IP address-to-username mapping to consistently enforce user-based
policy for users at remote network locations. In addition, you need
to configure username to user-group mapping if
you want to enforce policy based on group membership.
can then configure your deployment to allow Panorama to retrieve
the list of user groups retrieved from the username-to-user group
mapping, which allows you to easily select these groups from a drop-down
list when you create and configure policies in Panorama.
configure User-ID collection and redistribution for users who are
protected by Prisma Access remote networks, use the following methods
to enable user-based access and visibility to applications and resources:
While you can configure
either the Windows agent or the PAN-OS integrated User-ID agent
on to listen for authentication syslog messages from the network
services, because only the PAN-OS integrated agent supports syslog
listening over TLS, it is the preferred configuration.
To include the username and domain in the headers for outgoing
traffic so other devices in your network can identify the user and
enforce user-based policy, you can Insert Username in HTTP Headers.
Configure username-to-user group mapping for your mobile
users and users at remote network locations.