Configure User-ID based Policy Rules
Table of Contents
Configure User-ID based Policy Rules
Learn about how to configure policy rules with User-ID or User Groups in Prisma
SD-WAN.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Prisma SD-WAN supports User-ID based policies, wherein you can
configure policies directly for a user or a group of users. You can use the user
name or the group name as part of a policy rule for path, QoS, and security
policies.
You can apply User-ID based policies only to tenant service group (TSG) compatible
tenants.
Workflow:
The PAN-OS firewall maps IP addresses to users. The Cloud Identity Engine maps users to user
groups.
- A data center ION device learns the User-ID mapping from a User-ID Agent running on a PAN-OS
firewall. The User-ID client software runs on the data center ION device. ION devices support only those PAN-OS firewalls running versions 10.1.7, 10.2.3, 11.0.x, or higher.
- The DC ION device pushes the User-ID to IP address mapping to the Prisma SD-WAN controller.
- The Prisma SD-WAN controller interacts with the Cloud Identity Engine for User ID to User Group mapping.
- The Prisma SD-WAN controller distributes these mappings to branches (after site-specific filtering based on prefixes and policies).
- The Prisma SD-WAN controller pushes User-ID based policies to branch site ION devices.
- The branch ION devices apply User-ID based policies.
- The branch ION devices tag the Prisma SD-WAN traffic with user name information for site-to-site traffic.
- The branch ION devices use the tag (username) received in the WAN traffic to enforce User-ID based policies for remote site users.
- The branch ION devices send stats/logs for User ID/Group ID used in the policies to the controller.
Prisma SD-WAN supports WAN to LAN User-ID based policies for traffic between branch
sites with direct tunnels, but it does not support User-ID based policies for
traffic that originates from or transits through a data center.
You will need the following licenses and subscriptions in the same tenant service
group (TSG) that Prisma SD-WAN belongs to, in order to configure User-ID based
policies in Prisma SD-WAN.
- PAN-OS firewall
- Cloud Identity Agent activation
Use the following steps to configure User-ID based policies in Prisma
SD-WAN.
- Set up the connection to the User-ID agent.Configure a data center ION device to connect to the User ID Agent in the PAN-OS firewall.
- Select and then select a data center site.Click Configure User Agent.Click Add User Agent.
![]()
- Enter a Name for the User Agent
configuration.You can choose to disable the connection between the user agent client and the user agent running on the PAN-OS firewall by selecting the Disabled check box.
- Enter the Host IP address or a fully
qualified domain name (FQDN)for the PAN-OS firewall.If you specify an FQDN, use the down-level logon name in the (DLN)\sAMAccountName format instead of the FQDN\sAMAccountName format. For example, use example\user.services not example.com\user.services.
- Enter the Port number for the PAN-OS firewall.
- (Optional) Enter a Collector Name.Enter this information if you are using a Virtual System (hardware firewall).
- (Optional) Enter a Collector Pre-Shared Key and confirm.
- Submit your configuration.
Configure user attributes.- Select .Click Configure Identity Engine.
![]()
The formats supported are:- User Principal Name—User-id@domain.com
- SAM Account Name—NetBIOS/User-ID formatWhen the username format is a SAM Account Name, Prisma SD-WAN supports only the netbios\<user> format and not the domain\<user> format.
Add users and/or user groups in policy rules.You can add users or user groups in path, QoS, and security policy rules.- Select .On the Users tab, select a User and/or a Group from the User/Group drop-down.The default value is Any.An explicitly specified user name has priority over a group name. An explicitly specified group name has priority over any/known/unknown user.
