Make Group Names Selectable in Security Policy Rules Using
a Master Device
Use a next-generation or VM-series firewall as a Master
Device to add group names to security policy rules in a Panorama
Managed Prisma Access deployment.
While configuring Group Mapping in the
Cloud Identity Engine performs username-to-user group mapping,
those user groups do not populate to security policies. To simplify
the creation or modification of group-based policies, you can use
a Master Device to add the group names to drop-down lists in security
policy rules. You need to designate a firewall as a Master Device
for each device group. After you add a Master Device, the device
group inherits all policies defined on the master device; for this
reason, it should be a standalone, dedicated device to be used for
that device group.
To allow selection of group names in drop-down lists in security
policies, Palo Alto Networks recommends that you designate a Master
Device for each device group. You can configure either
an on-premises firewall or a VM-series firewall as a master device.
The following figure shows a User-ID deployment where the administrator
has configured an on-premises device as a Master Device.
Callouts in the figure show the process.
A next-generation on-premises or VM-series firewall that
the administrator has configured as a Master Device retrieves the
latest username-to-user group mapping from the LDAP server and User-ID
agent in the data center.
Panorama gets the username-to-user group mapping from the
Master Device.
Panorama uses this mapping only for the purposes
of populating the group names in drop-down lists in security policies,
thus simplifying the creation of policies based on groups.