Redistribute User-ID Information Between Prisma Access and On-Premises
Firewalls
Enforce user-based policy for mobile users and remote
networks by redistributing the User-ID mapping to and from Prisma
Access.
After you configure User-ID, you consistently
enforce user-based policy for all mobile users and users at remote
network locations by configuring User-ID redistribution to
redistribute the User-ID mapping from Prisma Access to all next-generation
firewalls that secure access to network resources.
Use one
the following methods to redistribute User-ID mapping to mobile
users and users in remote networks from an on-premises next-generation
firewall and vice versa, depending on the direction in which you
want to redistribute the User-IDs:
Redistribute User-ID Information From Prisma Access to an
On-Premise Firewall
In cases where mobile users need to access
a resource on a remote network location or HQ/data center and the
resource is secured by an on-premises next-generation firewall with
user-based policies, you must redistribute User-ID mappings from
the Prisma Access mobile users and users at remote networks to the
on-premises firewall. When the user connects to Prisma Access, it
collects this user-to-IP address mapping and stores it.
The
following figure shows two mobile users that have an existing IP address-to-username
mapping in Prisma Access. Prisma Access then redistributes this
mapping by way of a service connection to the on-premises firewall
that secures the HQ/data center.
To redistribute
User-ID mappings from Prisma Access to an on-premises firewall,
complete the following steps.
Before you start this
task, find the
User-ID Agent Address
in Prisma
Access by selecting , selecting
the Service Connection
radio button, and
viewing the information in the User-ID Agent Address
field.- Configure Prisma Access as a User-ID agent that redistributes user mapping information.
- In the Panorama that manages Prisma Access, select (for Panorama 9.1.x Appliances) or (for Panorama 10.x appliances).Make sure that you have selected theService_Conn_Templatein theTemplatesdrop-down at the top of the page. The User-ID agent in Prisma Access receives its User-ID mapping from the domain controller in the data center by way of the service connection.
- Click the gear icon to edit the settings.
- SelectRedistribution(Panorama 9.1.x Appliances only).
- Provide aUser-ID Collector Nameand aUser-ID Collector Pre-Shared Keyto identify Prisma Access as a User-ID agent.
- ClickOKto save your changes.
- Configure the on-premises firewall to collect the User-ID mapping from Prisma Access.
- From the on-premises firewall, select (for 9.1.xPanorama appliances) or (for Panorama 10.xappliances).
- Adda User-ID Agent and give it aName.
- SelectHost and Port.
- Enter theUser-ID Agent Addressfrom Prisma Access in theHostfield.
- Enter theUser-ID Collector NameandUser-ID Collector Pre-Shared Keyfor the Prisma Access collector you created in Step 1.
- ClickOK.
- Repeat these steps for each service connection.
Redistribute User-ID Information From an On-Premises Firewall
to Prisma Access
In cases where users are at a branch location
or HQ that is secured by an on-premises next-generation firewall
with user-based policies, and they need to access resources at another
branch location that you have secured with Prisma Access, you must redistribute User-ID mappings from
the on-premises firewall to Prisma Access.
The following figure
shows an HQ/Data center with an on-premises next-generation firewall
with existing IP address-to-username mapping. Prisma Access connects to
the firewall with a service connection, and the on-premises firewall
redistributes the mapping to Prisma Access.
To redistribute
User-ID mappings from an on-premises firewall to Prisma Access,
complete the following steps.
- Configure the on-premises firewall to redistribute User-ID information to Prisma Access.
- From the on-premises firewall, select (for Panorama 9.1.x Appliances) or (for Panorama 10.x appliances).
- Click the gear icon to edit the settings.
- SelectRedistribution(9.1.x devices only).
- Provide aUser-ID Collector Nameand aUser-ID Collector Pre-Shared Keyto identify the on-premises firewall as a User-ID agent.
- ClickOKto save your changes.
- Configure Prisma Access to collect the User-ID mapping from the on-premises firewall.
- From the Panorama that manages Prisma Access, select (for 9.1.xPanorama appliances) or (for Panorama 10.xappliances).Make sure that you have selected theRemote_Network_Templatein theTemplatesdrop-down at the top of the page.
- Adda User-ID Agent and give it aName.
- SelectHost and Port.
- Enter the IP address of the MGT interface or service route that the firewall uses to send user mappings in theHostfield.For the MGT interface, you can enter a hostname instead of the IP address.
- Enter theUser-ID Collector NameandUser-ID Collector Pre-Shared Key, using the values for the collector you created for the on-premises firewall in Step 1.
- ClickOK.
