Preserve User and Device-ID Mapping for Service Connections with Source NAT (Panorama)

1. Enter Pre-NAT Identification parameters on the NGFW.

   1. Log in to the NGFW, or log into the SCM or Panorama that manages the NGFW, and go to NetworkZones.
   2. Add a zone or select an existing zone.
   3. Select one or more Pre-NAT Identification parameters:

      • User-ID—Preserves the mobile user User-ID mapping used before the IP addresses were NATted. Enable this if you're using User-IDs in security policy rules.
      • Device-ID—Preserves the mobile user Device-ID mapping used before the IP addresses were NATted. Enable this if you're using Device-ID in security policy rules.
      • Source Lookup—Enables you to match the original Source IP address received from GlobalProtect. If you're using source lookup in QoS or policy-based forwarding (PBF) policies, the source IP comparison is based on the pre-NAT source IP address. For example, if you had a security policy that allowed a source IP address of 1.1.1.1 and a destination IP address of Any, 1.1.1.1 is compared with the pre-NAT source IP address in the packet header.
      • Enable Original ID Downstream—If you have two NGFWs in a row, specify this option to have the first NGFW send the pre-NAT information to the second NGFW after the first NGFW has inspected the traffic and applied policies to it. This is the default configuration on SC-CANs.

   4. Click OK and Commit your changes.
2. Create a command-line interface (CLI) session with the NGFW and enter the following command in configuration mode:

   set deviceconfig setting preserve-prenat-feature yes

   If you need to disable this feature in the future, enter set deviceconfig setting preserve-prenat-feature no.
3. From the Panorama that manages Prisma Access, enable pre-NAT settings.

   1. Go to PanoramaCloud ServicesConfigurationService Setup and click the gear to edit the Settings.
   2. Select Preserve pre-NAT (User-ID/Device-ID).

   3. Commit and Push your changes.