Redistribute User-ID Information Between Prisma Access and On-Premises Firewalls

Enforce user-based policy for mobile users and remote networks by redistributing the User-ID mapping to and from Prisma Access.
After you configure User-ID, you consistently enforce user-based policy for all mobile users and users at remote network locations by configuring User-ID redistribution to redistribute the User-ID mapping from Prisma Access to all next-generation firewalls that secure access to network resources.
Use one the following methods to redistribute User-ID mapping to mobile users and users in remote networks from an on-premises next-generation firewall and vice versa, depending on the direction in which you want to redistribute the User-IDs:

Redistribute User-ID Information From Prisma Access to an On-Premise Firewall

In cases where mobile users need to access a resource on a remote network location or HQ/data center and the resource is secured by an on-premises next-generation firewall with user-based policies, you must redistribute User-ID mappings from the Prisma Access mobile users and users at remote networks to the on-premises firewall. When the user connects to Prisma Access, it collects this user-to-IP address mapping and stores it.
The following figure shows two mobile users that have an existing IP address-to-username mapping in Prisma Access. Prisma Access then redistributes this mapping by way of a service connection to the on-premises firewall that secures the HQ/data center.
To redistribute User-ID mappings from Prisma Access to an on-premises firewall, complete the following steps.
Before you start this task, find the
User-ID Agent Address
in Prisma Access by selecting
Panorama
Cloud Services
Status
Network Details
, selecting the
Service Connection
radio button, and viewing the information in the
User-ID Agent Address
field.
  1. Configure Prisma Access as a User-ID agent that redistributes user mapping information.
    1. In the Panorama that manages Prisma Access, select
      Device
      User Identification
      User Mapping
      Palo Alto Networks User-ID Agent Setup
      (for Panorama 9.1.x Appliances) or
      Device
      Data Redistribution
      Collector Settings
      (for Panorama 10.x appliances).
      Make sure that you have selected the
      Service_Conn_Template
      in the
      Templates
      drop-down at the top of the page. The User-ID agent in Prisma Access receives its User-ID mapping from the domain controller in the data center by way of the service connection.
    2. Click the gear icon to edit the settings.
    3. Select
      Redistribution
      (Panorama 9.1.x Appliances only).
    4. Provide a
      User-ID Collector Name
      and a
      User-ID Collector Pre-Shared Key
      to identify Prisma Access as a User-ID agent.
    5. Click
      OK
      to save your changes.
  2. Configure the on-premises firewall to collect the User-ID mapping from Prisma Access.
    1. From the on-premises firewall, select
      Panorama
      User Identification
      User-ID Agents
      (for 9.1.
      x
      Panorama appliances) or
      Panorama
      Data Redistribution
      Agents
      (for Panorama 10.
      x
      appliances).
    2. Add
      a User-ID Agent and give it a
      Name
      .
    3. Select
      Host and Port
      .
    4. Enter the
      User-ID Agent Address
      from Prisma Access in the
      Host
      field.
    5. Enter the
      User-ID Collector Name
      and
      User-ID Collector Pre-Shared Key
      for the Prisma Access collector you created in Step 1.
    6. Click
      OK
      .
    7. Repeat these steps for each service connection.

Redistribute User-ID Information From an On-Premises Firewall to Prisma Access

In cases where users are at a branch location or HQ that is secured by an on-premises next-generation firewall with user-based policies, and they need to access resources at another branch location that you have secured with Prisma Access, you must redistribute User-ID mappings from the on-premises firewall to Prisma Access.
The following figure shows an HQ/Data center with an on-premises next-generation firewall with existing IP address-to-username mapping. Prisma Access connects to the firewall with a service connection, and the on-premises firewall redistributes the mapping to Prisma Access.
To redistribute User-ID mappings from an on-premises firewall to Prisma Access, complete the following steps.
  1. Configure the on-premises firewall to redistribute User-ID information to Prisma Access.
    1. From the on-premises firewall, select
      Device
      User Identification
      User Mapping
      Palo Alto Networks User-ID Agent Setup
      (for Panorama 9.1.x Appliances) or
      Device
      Data Redistribution
      Collector Settings
      (for Panorama 10.x appliances).
    2. Click the gear icon to edit the settings.
    3. Select
      Redistribution
      (9.1.x devices only).
    4. Provide a
      User-ID Collector Name
      and a
      User-ID Collector Pre-Shared Key
      to identify the on-premises firewall as a User-ID agent.
    5. Click
      OK
      to save your changes.
  2. Configure Prisma Access to collect the User-ID mapping from the on-premises firewall.
    1. From the Panorama that manages Prisma Access, select
      Panorama
      User Identification
      User-ID Agents
      (for 9.1.
      x
      Panorama appliances) or
      Panorama
      Data Redistribution
      (for Panorama 10.
      x
      appliances).
      Make sure that you have selected the
      Remote_Network_Template
      in the
      Templates
      drop-down at the top of the page.
    2. Add
      a User-ID Agent and give it a
      Name
      .
    3. Select
      Host and Port
      .
    4. Enter the IP address of the MGT interface or service route that the firewall uses to send user mappings in the
      Host
      field.
      For the MGT interface, you can enter a hostname instead of the IP address.
    5. Enter the
      User-ID Collector Name
      and
      User-ID Collector Pre-Shared Key
      , using the values for the collector you created for the on-premises firewall in Step 1.
    6. Click
      OK
      .

Recommended For You