>
    Prisma Access User-Based Policy
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access User-Based Policy
    Download PDF
    Prisma Access

    Prisma Access User-Based Policy

    Table of Contents

    Prisma Access
     User-Based Policy

    Enforce user-based policy using
    Prisma Access
    .
    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Cloud Management)
    • Prisma Access (Panorama Managed)
    • Cloud Identity Engine
    • Prisma Access
       license
    Prisma Access
     requires that you configure IP address-to-username mapping to consistently enforce user-based policy for mobile users and users at remote network locations. In addition, you need to configure username to user-group mapping if you want to enforce policy based on group membership.
    To select the groups from a drop-down list when you create and configure policies in Panorama, you can also configure Panorama to obtain the list of user groups retrieved from the username-to-user group mapping.
    The following sections provide an overview and the steps you perform to configure and implement User-ID and use the Cloud Identity Engine to get IP address-to-username and username-to-user group mapping in
    Prisma Access
    .

    Configure User-Based Policy for
    Prisma Access

    Cloud Management

    After integrating Cloud Identity Engine with
    Prisma Access
    , you must confirm that
    Prisma Access
     is connected to Cloud Identity Engine, and that Cloud Identity Engine is sharing directory information with
    Prisma Access
    .
    • Check that you can see your directories in
      Prisma Access
      .
      Go to
      Manage
      Configuration
      Identity Services
      Cloud Identity Engine
      .
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and
      Prisma Access
      Identity Services
      Cloud Identity Engine
      .
    • Verify that you can add users and groups to a policy rule.
      Select
      Manage
      Security Services
      Security
       or
      Decryption
      .
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and
      Prisma Access
      Security Services
      Decryption
      .
      In a security or decryption policy rule, check that the
      Users
       dropdown displays your Active Directory user and group entries. Now you can start adding these users and groups to your security and decryption policy rules.
    When you've confirmed that Cloud Identity Engine is successfully connected, you can begin running user activity reports to gain greater visibility into the behavior of your user base.

    Panorama

    Set up user-ID mapping in
    Prisma Access (Panorama Managed)
    .
    This section provides the steps you perform to configure User-ID for
    Prisma Access
    .
    1. Configure IP address-to-username mapping for your mobile users and users at remote network locations.
    2. Configure username-to-user group mapping for your mobile users and users at remote network locations.
      For Mobile Users—GlobalProtect, Explicit Proxy, and remote network deployments, configure the Directory Sync component of the Cloud Identity Engine to retrieve user and group information from your Active Directory (AD); then, configure
      Group Mapping Settings
       in your Mobile Users—GlobalProtect or remote network deployment.
      Alternatively, you can enable username-to-user group mapping for mobile users and users at remote networks using an LDAP server profile.
      We recommend using a Group Include List in the LDAP server profile, so that you can specify which groups you want to retrieve, instead of retrieving all group information.
    3. Allow Panorama to use username-to-user group mapping in security policies by completing one of the following actions:

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.