Configure User-ID based Policy Rules
Table of Contents
Configure User-ID based Policy Rules
Learn about how to configure policy rules with User-ID or User Groups in Prisma
SD-WAN.
Prisma SD-WAN
supports User-ID based policies, wherein you can
configure policies directly for a user or a group of users. You can use the user
name or the group name as part of a policy rule for path, QoS, and security
policies. You can apply User-ID based policies only to tenant service group (TSG) compatible
tenants.
Workflow:
The PAN-OS firewall maps IP addresses to users. The Cloud Identity Engine maps users to user
groups.
- A data center ION device learns the User-ID mapping from a User-ID Agent running on a PAN-OS firewall. The User-ID client software runs on the data center ION device.ION devices support only those PAN-OS firewalls running versions 10.1.7, 10.2.3, 11.0.x, or higher.
- The DC ION device pushes the User-ID to IP address mapping to thePrisma SD-WANcontroller.
- ThePrisma SD-WANcontroller interacts with the Cloud Identity Engine for User ID to User Group mapping.
- ThePrisma SD-WANcontroller distributes these mappings to branches (after site-specific filtering based on prefixes and policies).
- ThePrisma SD-WANcontroller pushes User-ID based policies to branch site ION devices.
- The branch ION devices apply User-ID based policies.
- The branch ION devices tag thePrisma SD-WANtraffic with user name information for site-to-site traffic.
- The branch ION devices use the tag (username) received in the WAN traffic to enforce User-ID based policies for remote site users.
- The branch ION devices send stats/logs for User ID/Group ID used in the policies to the controller.
Prisma SD-WAN
supports WAN to LAN User-ID based policies for traffic between branch
sites with direct tunnels, but it does not support User-ID based policies for
traffic that originates from or transits through a data center.You will need the following licenses and subscriptions in the same tenant service
group (TSG) that
Prisma SD-WAN
belongs to, in order to configure User-ID based
policies in Prisma SD-WAN
.- Cloud Identity Agent activation
Use the following steps to configure User-ID based policies in Prisma
SD-WAN.
- Set up the connection to the User-ID agent.Configure a data center ION device to connect to the User ID Agent in the PAN-OS firewall.
- Select and then select a data center site.
- ClickConfigure User Agent.
- ClickAdd User Agent.
- Enter aNamefor the User Agent configuration.You can choose to disable the connection between the user agent client and the user agent running on the PAN-OS firewall by selecting theDisabledcheck box.
- Enter theHostIP address or a fully qualified domain name (FQDN)for the PAN-OS firewall.If you specify an FQDN, use the down-level logon name in the (DLN)\sAMAccountName format instead of the FQDN\sAMAccountName format. For example, use example\user.services not example.com\user.services.
- Enter thePortnumber for the PAN-OS firewall.
- (Optional)Enter a Collector Name.Enter this information if you are using a Virtual System (hardware firewall).
- (Optional)Enter aCollector Pre-Shared Keyand confirm.
- Submityour configuration.
- Configure user attributes.
- Select .
- ClickConfigure Identity Engine.
The formats supported are:- User Principal Name—User-id@domain.com
- SAM Account Name—NetBIOS/User-ID formatWhen the username format is a SAM Account Name,Prisma SD-WANsupports only the netbios\<user> format and not the domain\<user> format.
- Add users and/or user groups in policy rules.You can add users or user groups in path, QoS, and security policy rules.
- Select .
- On theUserstab, select aUserand/or aGroupfrom theUser/Groupdrop-down.The default value isAny.An explicitly specified user name has priority over a group name. An explicitly specified group name has priority over any/known/unknown user.