After you configure User-ID mapping in Prisma Access, you need to be able to retrieve the current username-to-user group information for mobile users and users at remote networks. If you don’t use the Directory Sync component of the Cloud Identity Engine to retrieve IP address-to-username and username-to-user group information, you can populate the groups to allow them to be selected in drop-down lists in security policies by adding one or more next-generation firewalls to your deployment and then designating the firewall as a Master Device. Alternatively, you can implement User-ID mapping in policies using long-form Distinguished Name (DN) entries.