After you configure User-ID mapping in Prisma Access, you need to be able to retrieve the current IP address-to-username and username-to-user group information for mobile users and users at remote networks. To allow the Panorama that manages your deployment to retrieve group mapping information, you must add one or more next-generation firewalls to your deployment and then designate the firewall as a Master Device. You then create policies in Panorama and enforce the policies using the list of user groups that Panorama retrieved from the Master Device.

To collect username-to-user group mapping in Prisma Access; you can either configure the Directory Sync component of the Cloud Identity Engine to retrieve user and group information or specify an on-premises firewall as a Master Device. You can also implement User-ID mapping in policies using long-form Distinguished Name (DN) entries.