Get User and Group Information Using Directory Sync
Use the Directory Sync service to retrieve user and group information for Prisma Access.
Prisma Access retrieves user and group information from your organization’s Active Directory (AD) to enforce user- and group-based policy. You can simplify the retrieval of user and group information by using Palo Alto Networks’ Directory Sync service.
In addition to simplifying user and group information retrieval, integrating Directory Sync with Prisma Access can free up the bandwidth and load on your AD. Without Directory Sync integration, all the remote networks and mobile users’ nodes individually communicate with your AD using the service connection.
You can use Directory Sync to retrieve user and group information for Prisma Access for mobile users, remote networks, or both, by completing the following steps.
The Directory Sync integration with Prisma Access has the following implementation restrictions:
- Make sure that the groups you use with Directory Sync do not have any of the following special characters, because Prisma Access does not support the use of following special characters in groups and commit operations will fail:
- " (Double quotes)
- ' (Apostrophe)
- < (less than sign)
- > (greater than sign)
- & (ampersand)
- If you associate Directory Sync with Prisma Access, your user names must use the NetBIOS format that includes the domain. You can specify usernames in email format (username@domain),NetBIOS\sAMAccountNameformat, or User Principal Name (UPN) format (firstname.lastname@example.org).
- Group names must be in thedistinguishedNameformat (for example,CN=Users,CN=Builtin,DC=Example,DC=com).
- Directory Sync does not apply any settings you specify in the group include list (); instead, it retrieves user and group information from your entire configuration, including groups used in all device groups and templates.DeviceUser IdentificationGroup Mapping SettingsGroup Include List
- Create a Directory Sync instance for Prisma Access, and make a note of the instance name.When you activate Directory Sync, it creates an instance. You use the instance name when you associate Directory Sync with Prisma Access in a later step. Optionally, if you need to create a separate instance for Prisma Access, create it and make a note of the instance name.
- Associate the Panorama that manages Prisma Access with Directory Sync in the hub.Directory Sync integration with Prisma Access is not supported in a multi-tenant environment.
- Find the serial number of the Panorama that manages Prisma Access by selecting theDashboardand noting theSerial #that displays.
- Log in to the Palo Alto Networks hub and selectPanorama.
- Find the serial number of the Panorama that manages Prisma Access, select it, then selectAdd Directory Sync.
- ClickOKwhen complete.
- (Optional) If you need to edit an existing Directory Sync instance after you create it, selectPrisma Access - DirSync Mapping, select the Panorama’s serial number, selectEdit, and enter the following information in the window that displays:
TheRegionandSerial Numberfields populate automatically.
- Enter aNamefor the Directory Sync - Prisma Access mapping.
- Optionally, enter aDescriptionfor the mapping.
- Enable Directory Sync on Prisma Access.
- On the Panorama that manages Prisma Access, select one of the following tabs:.
- To configure Directory Sync for Prisma Access for mobile users, select, select the gear icon to edit the settings, then selectPanoramaCloud ServicesConfigurationMobile UsersGroup Mapping Settings.
- To configure Directory Sync for Prisma Access for remote networks, select, select the gear icon to edit the settings, then selectPanoramaCloud ServicesConfigurationRemote NetworksGroup Mapping Settings.
- SelectEnable Directory Sync Integrationto enable Directory Sync with Prisma Access.
- Enter the following information:
- Enter thePrimary Username(the logon name attribute for the user, such asuserPrincipalNameorsAMAccountName). This field is required.
- (Optional) Enter the
- (Optional) If you use alternate name attributes for the user, enter them. You can enter up to three alternate user names (Alternate User Name 1,Alternate User Name 2, andAlternate User Name 3).
- ClickOKwhen complete.
- Commit and push () your changes.CommitCommit and Push
Recommended For You
Recommended videos not found.