Configure User-ID for Remote Network Deployments
Focus
Focus

Configure User-ID for Remote Network Deployments

Table of Contents

Configure User-ID for Remote Network Deployments

The process for retrieving User-ID information for Prisma Access is similar to configuring User-ID for on-premise Palo Alto Networks next-generation firewalls. To configure User ID-to-IP address mapping for Prisma Access, use the following workflow.
  1. Map IP addresses to users in Prisma Access.
    • To use a Windows-based User-ID Agent for IP address-to-username mapping, create a dedicated service account for the User-ID agent, then configure user mapping using the Windows User-ID agent.
    • To use the PAN-OS integrated User-ID Agent for IP address-to-username mapping, Create a dedicated service account for the User-ID Agent, then configure User-ID using the PAN-OS integrated User-ID agent.
      If you use either a Windows or PAN-OS User-ID Agent, use the User-ID Agent Address (PanoramaCloud ServicesStatusNetwork DetailsService Connection) from Prisma Access in your User-ID agent configuration to configure your on-premise firewalls to retrieve User-ID mappings from the Prisma Access infrastructure. For more information about User-ID redistribution from Prisma Access to an on-premises firewall, see Redistribute User-ID Information From Prisma Access to an On-Premise Firewall.
      By default, the User-ID agent uses port 5007 to listen for User-ID information requests. Make sure that you implement security policies that allow User-ID traffic from this port between Prisma Access and the Active Directory server or User-ID Agent.
      You can also use the paloalto-userid-agent App ID to retrieve the information from the Windows domain controller; however, if you do this, you must decrypt the SSL traffic for User-ID.
    • To enable IP address-to-username mapping for users with client systems that aren’t logged in to your domain servers—for example, users running Linux clients that don’t log in to the domain—you can Map IP Addresses to Usernames Using Authentication Portal (formerly Captive Portal).
      To authenticate users using MFA, SAML, or Authentication Portal, we recommend mapping a hostname to the Captive Portal Redirect IP Address in Prisma Access and associating it with your internal DNS servers. If you choose to use Kerberos single sign-on (SSO) with the authentication portal, the hostname is required. Alternatively, you can use the Captive Portal Redirect IP Address by itself to redirect users.
      To find the Captive Portal Redirect IP Address, select PanoramaCloud ServicesStatusNetwork DetailsService Infrastructure. Prisma Access assigns this IP address from the infrastructure subnet IP address pool.
    • To enable IP address-to-username mapping using syslog listening, Configure User-ID to Monitor Syslog Senders for User Mapping.
    • To enable IP address-to-username mapping for users on Windows-based terminal servers, Configure User Mapping for Terminal Server Users.
    • To enable IP address-to-username mapping using an XML API, Send User Mappings to User-ID Using the XML API.
    • To enable IP address-to-username mapping without using an agent, Configure User-ID for Prisma Access Using the PAN-OS Integrated User-ID Agent.
  2. Allow Panorama to use group mappings in security policies by completing one of the following actions.