Configure Your Prisma Access Deployment to Retrieve Group Mapping

Retrieve User-ID group mapping for Prisma Access by configuring an on-premise firewall as a master device.
After you configure User-ID mapping in Prisma Access, you need to be able to retrieve the current IP address-to-username and username-to-user group information for mobile users and users at remote networks. To allow the Panorama that manages your deployment to retrieve group mapping information, you must add one or more next-generation firewalls to your deployment and then designate the firewall as a Master Device. You then create policies in Panorama and enforce the policies using the list of user groups that Panorama retrieved from the Master Device.
Panorama cannot retrieve group mapping information in Prisma Access deployments without next-generation firewalls, because Prisma Access does not have any devices in its device groups that you can specify as a
Master Device
. If you have a standalone Prisma Access deployment, you can still implement User-ID mapping in policies by using long-form Distinguished Name (DN) entries.

Retrieve Group Mappings Using a Master Device

To allow Panorama to collect group mappings, you need to add a device group, then designate one or more next-generation firewalls as a
Master Device
. You can configure either an on-premise firewall or a VM-series firewall as a master device.
  • To allow Panorama to collect group mapping information from mobile users, create a device group that specifies the on-premise or VM-series firewall as the
    Master Device
    and specify this device group as a
    Parent Device Group
    of the
    Mobile_User_Device_Group
    device group.
  • To allow Panorama to collect group mapping information from users connected to remote networks, create a device group that specifies the on-premise or VM-series firewall as the
    Master Device
    and specify this device group as a
    Parent Device Group
    of the
    Remote_Network_Device_Group
    device group.
  • To allow Panorama to collect group mapping information from users or resources available through a service connection, create a device group that specifies the on-premise or VM-series firewall as the
    Master Device
    and specify this device group as a
    Parent Device Group
    of the
    Service_Conn_Device_Group
    device group.
Auto-population of users and groups is only applicable to the parent device group that is associated with the master device. Auto-Population of users/groups is not applicable to the child device groups (the
Mobile_User_Device_Group
,
Remote_Network_Device_Group
, or
Service_Conn_Device_Group
, device groups). See Configure an On-Premise or VM-Series Firewall as a Master Device for details.
The Master Devices can serve as the termination point of a remote network connection or service connection, but this connection method is not required for the process to work, as shown in the following example. The following figure shows a User-ID deployment where the administrator has configured an on-premise device as a
Master Device
. Callouts in the figure show the process.
  1. A next-generation on-premise or VM-series firewall that the administrator has configured as a Master Device retrieves the latest User-ID information from the LDAP server and User-ID agent in the data center.
  2. Panorama gets the list of usernames, user group names, and group mapping information from the Master Device.
We recommend using a Group Include List in the LDAP server profile, so that you can specify which groups you want to retrieve, instead of retrieving all group information.
user-id-master-device.png

Configure an On-Premise or VM-Series Firewall as a Master Device

Use the following procedure to configure an on-premise or VM-series firewall as a Master Device.
  1. Create device groups for mobile users, remote networks, and service connection device groups as required, and specify the on-premise device as the
    Master Device
    .
    1. Select
      Panorama
      Managed Devices
      Device Groups
      .
    2. Add
      a new device group.
    3. Enter a
      Name
      for the device group.
    4. Leave the
      Parent Device Group
      as
      Shared
      .
    5. In the
      Devices
      area, select the
      Name
      of the on-premise or VM-Series device that you want to set as the
      Master Device
      .
    6. Select
      Store user and groups from Master Device if Reporting and Filtering on Groups is enabled in Panorama Settings
      .
      This option allows Panorama to locally store usernames, user group names, and group mapping information that it receives from the Master Device.
    7. Click
      OK
      .
      The following screenshot creates a Master Device to be used for the service connection.
      user-id-device-group-service-connection.png
  2. Associate the device groups you created for your Prisma Access mobile user, remote network, or service connection deployment.
    • To associate the device group with a mobile user deployment, select
      Panorama
      Cloud Services
      Configuration
      Mobile Users
      and edit the settings by clicking the gear icon in the
      Settings
      area and associate the device group you created for the service connection with the
      Parent Device Group
      .
      user-id-device-group-mobile-user.png
    • To associate the device group with a remote network connection, select
      Panorama
      Cloud Services
      Configuration
      Remote Networks
      and edit the settings by clicking the gear icon in the
      Settings
      area and associate the device group you created for the remote network connection with the
      Parent Device Group
      .
      user-id-networks-parent-device-group.png
    • To associate the device group with a service connection, select
      Panorama
      Cloud Services
      Configuration
      Service Setup
      and edit the settings by clicking the gear icon in the
      Settings
      area and associate the device group you created for the service connection with the
      Parent Device Group
      .
      user-id-service-connection-parent-device-group.png
    After you create a parent device group, Prisma Access automatically populates group mapping for the device group that is associated with the master device only. For the previous examples, the auto-population would occur only in the
    User-ID DG Mobile Users
    ,
    User-ID DG Remote Connection
    , and
    User-ID DG Service Connection
    device groups, and would not populate to the Mobile_User_Device_Group, Remote_Network_Device_Group, or Service_Conn_Device_Group device groups, respectively.
  3. Click
    OK
    .

Implement User-ID in Security Policies For a Standalone Prisma Access Deployment

In a standalone Prisma Access deployment without a Master Device, you can use group-based policy using long-form DN entries in Panorama. Prisma Access uses the DN entries to evaluate the User-ID-based policies you have configured in Panorama.
For example, given a User named
Bob Alice
who works in
IT
for Organization
Hooli
in the United States, a matching security policy may have
ou=IT Staff,O=Hooli,C=US
if the policy is to be applied to all IT staff, or
CN=Bob Alice,ou=IT Staff,O=Hooli,C=US
if the policy is only to be applied to Bob Alice.

Recommended For You