The process for retrieving User-ID information
for Prisma Access is similar to configuring User-ID for on-premise
Palo Alto Networks next-generation firewalls. To configure User
ID-to-IP address mapping for Prisma Access, use the following workflow.
If you use either a Windows or PAN-OS
User-ID Agent, use the User-ID Agent Address (PanoramaCloud ServicesStatusNetwork DetailsService Connection) from Prisma
Access in your User-ID agent configuration to configure your on-premise
firewalls to retrieve User-ID mappings from the Prisma Access infrastructure.
For more information about User-ID redistribution from Prisma Access to
an on-premises firewall, see Redistribute User-ID Information From Prisma Access to an On-Premise Firewall.
By
default, the User-ID agent uses port 5007 to listen for User-ID
information requests. Make sure that you implement security policies
that allow User-ID traffic from this port between Prisma Access
and the Active Directory server or User-ID Agent.
You
can also use the paloalto-userid-agent App
ID to retrieve the information from the Windows domain controller;
however, if you do this, you must decrypt the SSL traffic for User-ID.
To enable IP address-to-username mapping for users with client
systems that aren’t logged in to your domain servers—for example,
users running Linux clients that don’t log in to the domain—you
can Map IP Addresses to Usernames Using Authentication Portal (formerly
Captive Portal).
To authenticate users using MFA, SAML, or
Authentication Portal, we recommend mapping a hostname to the Captive
Portal Redirect IP Address in Prisma Access and associating
it with your internal DNS servers. If you choose to use Kerberos
single sign-on (SSO) with the authentication portal, the hostname
is required. Alternatively, you can use the Captive Portal
Redirect IP Address by itself to redirect users.
To
find the Captive Portal Redirect IP Address,
select PanoramaCloud ServicesStatusNetwork DetailsService Infrastructure. Prisma
Access assigns this IP address from the infrastructure subnet IP
address pool.