Redistribute User-ID Information Between Prisma Access and On-Premises
Firewalls
Enforce user-based policy for mobile users and remote
networks by redistributing the User-ID mapping to and from Prisma
Access.
After you configure User-ID, you consistently
enforce user-based policy for all mobile users and users at remote
network locations by configuring User-ID redistribution to
redistribute the User-ID mapping from Prisma Access to all next-generation
firewalls that secure access to network resources.
Use one
the following methods to redistribute User-ID mapping to mobile
users and users in remote networks from an on-premises next-generation
firewall and vice versa, depending on the direction in which you
want to redistribute the User-IDs:
Redistribute User-ID Information From Prisma Access to an
On-Premise Firewall
In cases where mobile users need to access
a resource on a remote network location or HQ/data center and the
resource is secured by an on-premises next-generation firewall with
user-based policies, you must redistribute User-ID mappings from
the Prisma Access mobile users and users at remote networks to the
on-premises firewall. When the user connects to Prisma Access, it
collects this user-to-IP address mapping and stores it.
The
following figure shows two mobile users that have an existing IP address-to-username
mapping in Prisma Access. Prisma Access then redistributes this
mapping by way of a service connection to the on-premises firewall
that secures the HQ/data center.
To redistribute
User-ID mappings from Prisma Access to an on-premises firewall,
complete the following steps.
Before you start this
task, find the
User-ID Agent Address
in Prisma
Access by selecting
Panorama
Cloud Services
Status
Network Details
, selecting
the
Service Connection
radio button, and
viewing the information in the
User-ID Agent Address
field.
Configure
Prisma Access as a User-ID agent that redistributes user mapping
information.
In the Panorama that manages Prisma Access, select
Device
User Identification
User Mapping
Palo Alto Networks
User-ID Agent Setup
(for Panorama 9.1.x
Appliances) or
Device
Data
Redistribution
Collector Settings
(for
Panorama 10.x appliances).
Make sure that you have selected the
Service_Conn_Template
in
the
Templates
drop-down at the top of the
page. The User-ID agent in Prisma Access receives its User-ID mapping from
the domain controller in the data center by way of the service connection.
Click the gear icon to edit the settings.
Select
Redistribution
(Panorama
9.1.x Appliances only).
Provide a
User-ID Collector Name
and a
User-ID
Collector Pre-Shared Key
to identify Prisma Access as
a User-ID agent.
Click
OK
to save your changes.
Configure the on-premises firewall to collect the User-ID
mapping from Prisma Access.
From the on-premises firewall, select
Panorama
User Identification
User-ID Agents
(for 9.1.
x
Panorama
appliances) or
Panorama
Data
Redistribution
Agents
(for
Panorama 10.
x
appliances).
Add
a User-ID Agent and give
it a
Name
.
Select
Host and Port
.
Enter the
User-ID Agent Address
from Prisma
Access in the
Host
field.
Enter the
User-ID Collector Name
and
User-ID
Collector Pre-Shared Key
for the Prisma Access collector
you created in Step 1.
Click
OK
.
Repeat these steps for each service connection.
Redistribute User-ID Information From an On-Premises Firewall
to Prisma Access
In cases where users are at a branch location
or HQ that is secured by an on-premises next-generation firewall
with user-based policies, and they need to access resources at another
branch location that you have secured with Prisma Access, you must redistribute User-ID mappings from
the on-premises firewall to Prisma Access.
The following figure
shows an HQ/Data center with an on-premises next-generation firewall
with existing IP address-to-username mapping. Prisma Access connects to
the firewall with a service connection, and the on-premises firewall
redistributes the mapping to Prisma Access.
To redistribute
User-ID mappings from an on-premises firewall to Prisma Access,
complete the following steps.