Redistribute User-ID Information Between Prisma Access and On-Premises Firewalls
Focus
Focus

Redistribute User-ID Information Between Prisma Access and On-Premises Firewalls

Table of Contents

Redistribute User-ID Information Between Prisma Access and On-Premises Firewalls

Enforce user-based policy for mobile users and remote networks by redistributing the User-ID mapping to and from Prisma Access.
After you configure User-ID, you consistently enforce user-based policy for all mobile users and users at remote network locations by configuring User-ID redistribution to redistribute the User-ID mapping from Prisma Access to all next-generation firewalls that secure access to network resources.
Use one the following methods to redistribute User-ID mapping to mobile users and users in remote networks from an on-premises next-generation firewall and vice versa, depending on the direction in which you want to redistribute the User-IDs:

Redistribute User-ID Information From Prisma Access to an On-Premise Firewall

In cases where mobile users need to access a resource on a remote network location or HQ/data center and the resource is secured by an on-premises next-generation firewall with user-based policies, you must redistribute User-ID mappings from the Prisma Access mobile users and users at remote networks to the on-premises firewall. When the user connects to Prisma Access, it collects this user-to-IP address mapping and stores it.
The following figure shows two mobile users that have an existing IP address-to-username mapping in Prisma Access. Prisma Access then redistributes this mapping by way of a service connection to the on-premises firewall that secures the HQ/data center.
To redistribute User-ID mappings from Prisma Access to an on-premises firewall, complete the following steps.
Before you start this task, find the User-ID Agent Address in Prisma Access by selecting PanoramaCloud ServicesStatusNetwork Details, selecting the Service Connection radio button, and viewing the information in the User-ID Agent Address field.
  1. Configure Prisma Access as a User-ID agent that redistributes user mapping information.
    1. In the Panorama that manages Prisma Access, select DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent Setup (for Panorama 9.1.x Appliances) or DeviceData RedistributionCollector Settings (for Panorama 10.x appliances).
      Make sure that you have selected the Service_Conn_Template in the Templates drop-down at the top of the page. The User-ID agent in Prisma Access receives its User-ID mapping from the domain controller in the data center by way of the service connection.
    2. Click the gear icon to edit the settings.
    3. Select Redistribution (Panorama 9.1.x Appliances only).
    4. Provide a User-ID Collector Name and a User-ID Collector Pre-Shared Key to identify Prisma Access as a User-ID agent.
    5. Click OK to save your changes.
  2. Configure the on-premises firewall to collect the User-ID mapping from Prisma Access.
    1. From the on-premises firewall, select PanoramaUser IdentificationUser-ID Agents (for 9.1.x Panorama appliances) or PanoramaData RedistributionAgents (for Panorama 10.x appliances).
    2. Add a User-ID Agent and give it a Name.
    3. Select Host and Port.
    4. Enter the User-ID Agent Address from Prisma Access in the Host field.
    5. Enter the User-ID Collector Name and User-ID Collector Pre-Shared Key for the Prisma Access collector you created in Step 1.
    6. Click OK.
    7. Repeat these steps for each service connection.

Redistribute User-ID Information From an On-Premises Firewall to Prisma Access

In cases where users are at a branch location or HQ that is secured by an on-premises next-generation firewall with user-based policies, and they need to access resources at another branch location that you have secured with Prisma Access, you must redistribute User-ID mappings from the on-premises firewall to Prisma Access.
The following figure shows an HQ/Data center with an on-premises next-generation firewall with existing IP address-to-username mapping. Prisma Access connects to the firewall with a service connection, and the on-premises firewall redistributes the mapping to Prisma Access.
To redistribute User-ID mappings from an on-premises firewall to Prisma Access, complete the following steps.
  1. Configure the on-premises firewall to redistribute User-ID information to Prisma Access.
    1. From the on-premises firewall, select DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent Setup (for Panorama 9.1.x Appliances) or DeviceData RedistributionCollector Settings (for Panorama 10.x appliances).
    2. Click the gear icon to edit the settings.
    3. Select Redistribution (9.1.x devices only).
    4. Provide a User-ID Collector Name and a User-ID Collector Pre-Shared Key to identify the on-premises firewall as a User-ID agent.
    5. Click OK to save your changes.
  2. Configure Prisma Access to collect the User-ID mapping from the on-premises firewall.
    1. From the Panorama that manages Prisma Access, select PanoramaUser IdentificationUser-ID Agents (for 9.1.x Panorama appliances) or PanoramaData Redistribution (for Panorama 10.x appliances).
      Make sure that you have selected the Remote_Network_Template in the Templates drop-down at the top of the page.
    2. Add a User-ID Agent and give it a Name.
    3. Select Host and Port.
    4. Enter the IP address of the MGT interface or service route that the firewall uses to send user mappings in the Host field.
      For the MGT interface, you can enter a hostname instead of the IP address.
    5. Enter the User-ID Collector Name and User-ID Collector Pre-Shared Key, using the values for the collector you created for the on-premises firewall in Step 1.
    6. Click OK.