Focus

Redistribute User-ID Information From Prisma Access to an On-Premise Firewall

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Activation & Onboarding
Administration
Version
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrations
Incidents & Alerts
Release Notes
Version
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred

Redistribute User-ID Information Between Prisma Access and On-Premises Firewalls

Redistribute User-ID Information From an On-Premises Firewall to Prisma Access

Redistribute User-ID Information From Prisma Access to an On-Premise Firewall

Shows the steps you take to redistribute User-ID information from Prisma Access to an on-premise firewall.

In cases where mobile users need to access a resource on a remote network location or HQ/data center and the resource is secured by an on-premises next-generation firewall with user-based policies, you must redistribute IP address-to-user name mapping from the Prisma Access mobile users and users at remote networks to the on-premises firewall. When the user connects to Prisma Access, it collects this user-to-IP address mapping and stores it.

The following figure shows two mobile users that have an existing IP address-to-username mapping in Prisma Access. Prisma Access then redistributes this mapping by way of a either a service connection (SC-CAN) or remote network connection (RN-SPN) to the on-premises firewall that secures the HQ/data center.

Prisma Access uses the service connection or remote network connection as an IPSec tunnel that serves as the underlay path to the Layer 3 network. You can use any route path over an IPSec trusted tunnel for privately addressed destinations to redistribute this mapping.

To redistribute User-ID mappings from Prisma Access to an on-premises firewall, complete the following steps.

Make sure you do not apply any SSL decryption on any connection that redistributes user identity to the on-premises firewall (the SC-CAN or RN-SPN), including any firewalls that are in the redistribution path. Alternatively, you can apply a decryption exclusion to the redistribution traffic.

Make a note of the IP address to use when you configure the data redistribution agent.
- For remote network connections, find the EBGP Router address (PanoramaCloud ServicesStatusNetwork DetailsRemote NetworksEBGP Router).
- For service connections, find the User-ID Agent Address (PanoramaCloud ServicesStatusNetwork DetailsService ConnectionUser-ID Agent Address).
Configure Prisma Access as a User-ID agent that redistributes user mapping information.
1. In the Panorama that manages Prisma Access, select DeviceData RedistributionCollector Settings.
  To configure the collector on a service connection, select the Service_Conn_Template; to configure the collector on a remote network connection, select the Remote_Network_Template
2. Click the gear icon to edit the settings.
3. Provide a Collector Name and a Collector Pre-Shared Key to identify Prisma Access as a User-ID agent.
4. Click OK to save your changes.
Configure the on-premises firewall to collect the User-ID mapping from Prisma Access.
1. From the on-premises firewall, select DeviceData RedistributionAgents.
2. Add a User-ID Agent and give it a Name.
3. Select Host and Port.
4. Enter the User-ID Agent Address (for a service connection) or EBGP Router Address (for a remote network connection) from Prisma Access in the Host field.
5. Enter the Collector Name and Collector Pre-Shared Key for the Prisma Access collector you created in Step 2.
6. Select IP User Mappings.
7. Click OK.
8. Repeat these steps for each service connection or remote network connection for which you want to redistribute mappings.