Prisma Access Administrator’s Guide (Panorama Managed)
  • Prisma Access Administrator’s Guide (Panorama Managed)
  • All Documentation
>
Retrieve Group Mappings Using a Master Device
Focus
Download PDF
Focus
  1. Home
  2. Prisma
  3. Prisma Access
  4. Configure User-ID and User-Based Policies with Prisma Access
  5. Configure Your Prisma Access Deployment to Retrieve Group Mapping
  6. Retrieve Group Mappings Using a Master Device
Download PDF

Retrieve Group Mappings Using a Master Device

Table of Contents
Use a next-generation or VM-series firewall as a Master Device to collect user and group mappings in the Prisma Access deployment.
To allow Panorama to collect group mappings, you need to add a device group, then designate one or more next-generation firewalls as a Master Device. You can configure either an on-premises firewall or a VM-series firewall as a master device.
A master device is not the only method you can use to collect user name-to-user group mapping. You can also configure the Directory Sync component of the Cloud Identity Engine to retrieve user and group information from your Active Directory (AD); then, configure Group Mapping Settings in your Mobile Users—GlobalProtect or remote network deployment.
  • To allow Panorama to collect group mapping information from mobile users, create a device group that specifies the on-premises or VM-series firewall as the Master Device and specify this device group as a Parent Device Group of the Mobile_User_Device_Group device group.
  • To allow Panorama to collect group mapping information from users connected to remote networks, create a device group that specifies the on-premises or VM-series firewall as the Master Device and specify this device group as a Parent Device Group of the Remote_Network_Device_Group device group.
  • To allow Panorama to collect group mapping information from users or resources available through a service connection, create a device group that specifies the on-premises or VM-series firewall as the Master Device and specify this device group as a Parent Device Group of the Service_Conn_Device_Group device group.
Auto-population of users and groups is only applicable to the parent device group that is associated with the master device. Auto-Population of users/groups is not applicable to the child device groups (the Mobile_User_Device_Group, Remote_Network_Device_Group, or Service_Conn_Device_Group, device groups). See Configure an on-premises or VM-Series Firewall as a Master Device for details.
The Master Devices can serve as the termination point of a remote network connection or service connection, but this connection method is not required for the process to work, as shown in the following example. The following figure shows a User-ID deployment where the administrator has configured an on-premises device as a Master Device. Callouts in the figure show the process.
  1. A next-generation on-premises or VM-series firewall that the administrator has configured as a Master Device retrieves the latest User-ID information from the LDAP server and User-ID agent in the data center.
  2. Panorama gets the list of usernames, user group names, and group mapping information from the Master Device.
We recommend using a Group Include List in the LDAP server profile, so that you can specify which groups you want to retrieve, instead of retrieving all group information.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.