Populate User Group Names in Security Policy Rules Using
a Master Device
Use a next-generation or VM-series firewall as a Master
Device to add group names to security policy rules in a Panorama
Managed Prisma Access deployment.
While configuring Group Mapping in the
Cloud Identity Engine performs username-to-user group mapping,
those usernames and user groups do not populate to security policies.
To simplify the creation or modification of user- and group-based
policies, you can use a Master Device to add the group names to
drop-down lists in security policy rules. You need to designate
a firewall as a Master Device for each device group. After you add
a Master Device, the device group inherits all policies defined
on the master device; for this reason, it should be a standalone, dedicated
device to be used for that device group.
To allow selection of group names in drop-down lists in security
policies, Palo Alto Networks recommends that you designate a
each device group. You can configure either an on-premises firewall
or a VM-series firewall as a master device.
The following figure shows a User-ID deployment where the administrator
has configured an on-premises device as a
Callouts in the figure show the process.
A next-generation on-premises or VM-series firewall that
the administrator has configured as a Master Device retrieves the
latest username-to-user group mapping from the LDAP server and User-ID
agent in the data center.
Panorama gets the username-to-user group mapping from the
Panorama uses this mapping only for the purposes
of populating the group names in drop-down lists in security policies,
thus simplifying the creation of policies based on groups.