Redistribute User-ID Information Between Prisma Access and On-Premise Firewalls

Enforce user-based policy for mobile users and remote networks by redistributing the User-ID mapping to and from Prisma Access.
After you configure User-ID, you consistently enforce user-based policy for all mobile users and users at remote network locations by configuring User-ID redistribution to redistribute the User-ID mapping from Prisma Access to all next-generation firewalls that secure access to network resources.
Use one the following methods to redistribute User-ID mapping to mobile users and users in remote networks from an on-premise next-generation firewall and vice versa, depending on the direction in which you want to redistribute the User-IDs:

Redistribute User-ID Information From Prisma Access to an On-Premise Firewall

In cases where mobile users need to access a resource on a remote network location or HQ/data center and the resource is secured by an on-premise next-generation firewall with user-based policies, you must redistribute User-ID mappings from the Prisma Access mobile users and users at remote networks to the on-premise firewall. When the user connects to Prisma Access, it collects this user-to-IP address mapping and stores it.
The following figure shows two mobile users that have an existing IP address-to-username mapping in Prisma Access. Prisma Access then redistributes this mapping by way of a service connection to the on-premise firewall that secures the HQ/data center.
prisma-access-use-case-userid-to-on-prem.png
To redistribute User-ID mappings from Prisma Access to an on-premise firewall, complete the following steps.
Before you start this task, find the
User-ID Agent Address
in Prisma Access by selecting
Panorama
Cloud Services
Status
Network Details
, selecting the
Service Connection
radio button, and viewing the information in the
User-ID Agent Address
field.
  1. Configure Prisma Access as a User-ID agent that redistributes user mapping information.
    1. In the Panorama that manages Prisma Access, select
      Device
      User Identification
      User Mapping
      Palo Alto Networks User-ID Agent Setup
      .
      Make sure that you have selected the
      Service_Conn_Template
      in the
      Templates
      drop-down at the top of the page. The User-ID agent in Prisma Access receives its User-ID mapping from the domain controller in the data center by way of the service connection.
    2. Click the gear icon to edit the settings.
    3. Select
      Redistribution
      .
    4. Provide a
      User-ID Collector Name
      and a
      User-ID Collector Pre-Shared Key
      to identify Prisma Access as a User-ID agent.
    5. Click
      OK
      to save your changes.
    user-id-cloud-redistribution-collector.png
  2. Configure the on-premise firewall to collect the User-ID mapping from Prisma Access.
    1. From the on-premise firewall, select
      Device
      User Identification
      User-ID Agents
      .
    2. Add
      a User-ID Agent and give it a
      Name
      .
    3. Select
      Host and Port
      .
    4. Enter the
      User-ID Agent Address
      from Prisma Access in the
      Host
      field.
    5. Enter the
      User-ID Collector Name
      and
      User-ID Collector Pre-Shared Key
      for the Prisma Access collector you created in Step 1.
    6. Click
      OK
      .
    user-id-cloud-redistribution-agent.png
  3. Repeat these steps for each service connection.

Redistribute User-ID Information From an On-Premise Firewall to Prisma Access

In cases where users are at a branch location or HQ that is secured by an on-premise next-generation firewall with user-based policies, and they need to access resources at another branch location that you have secured with Prisma Access, you must redistribute User-ID mappings from the on-premise firewall to Prisma Access.
The following figure shows an HQ/Data center with an on-premise next-generation firewall with existing IP address-to-username mapping. Prisma Access connects to the firewall with a service connection, and the on-premise firewall redistributes the mapping to Prisma Access.
prisma-access-use-case-userid-to-prisma-access.png
To redistribute User-ID mappings from an on-premise firewall to Prisma Access, complete the following steps.
  1. Configure the on-premise firewall to redistribute User-ID information to Prisma Access.
    1. From the on-premise firewall, select
      Device
      User Identification
      User Mapping
      Palo Alto Networks User-ID Agent Setup
      .
    2. Click the gear icon to edit the settings.
    3. Select
      Redistribution
      .
    4. Provide a
      User-ID Collector Name
      and a
      User-ID Collector Pre-Shared Key
      to identify the on-premise firewall as a User-ID agent.
    5. Click
      OK
      to save your changes.
  2. Configure Prisma Access to collect the User-ID mapping from the on-premise firewall.
    1. From the Panorama that manages Prisma Access, select
      Device
      User Identification
      User-ID Agents
      .
      Make sure that you have selected the
      Remote_Network_Template
      in the
      Templates
      drop-down at the top of the page.
    2. Add
      a User-ID Agent and give it a
      Name
      .
    3. Select
      Host and Port
      .
    4. Enter the IP address of the MGT interface or service route that the firewall uses to send user mappings in the
      Host
      field.
      For the MGT interface, you can enter a hostname instead of the IP address.
    5. Enter the
      User-ID Collector Name
      and
      User-ID Collector Pre-Shared Key
      , using the values for the collector you created for the on-premise firewall in Step 1.
    6. Click
      OK
      .

Recommended For You