Populate User Group Names in Security Policy Rules Using a Master Device
Table of Contents
Populate User Group Names in Security Policy Rules Using a Master Device
Use a next-generation or VM-series firewall as a Master
Device to add group names to security policy rules in a Panorama
Managed Prisma Access deployment.
While configuring Group Mapping in the
Cloud Identity Engine performs username-to-user group mapping,
those usernames and user groups do not populate to security policies.
To simplify the creation or modification of user- and group-based
policies, you can use a Master Device to add the group names to
drop-down lists in security policy rules. You need to designate
a firewall as a Master Device for each device group. After you add
a Master Device, the device group inherits all policies defined
on the master device; for this reason, it should be a standalone, dedicated
device to be used for that device group.
To allow selection of group names in drop-down lists in security
policies, Palo Alto Networks recommends that you designate a Master Device for
each device group. You can configure either an on-premises firewall
or a VM-series firewall as a master device.
The following figure shows a User-ID deployment where the administrator
has configured an on-premises device as a Master Device.
Callouts in the figure show the process.
- A next-generation on-premises or VM-series firewall that the administrator has configured as a Master Device retrieves the latest username-to-user group mapping from the LDAP server and User-ID agent in the data center.
- Panorama gets the username-to-user group mapping from the Master Device.Panorama uses this mapping only for the purposes of populating the group names in drop-down lists in security policies, thus simplifying the creation of policies based on groups.
