Configure Your Prisma Access Deployment to Retrieve Group Mapping
Focus
Focus

Configure Your Prisma Access Deployment to Retrieve Group Mapping

Table of Contents

Configure Your Prisma Access Deployment to Retrieve Group Mapping

Retrieve User-ID group mapping for Prisma Access by configuring an on-premises firewall as a master device.
After you configure User-ID mapping in Prisma Access, you need to be able to retrieve the current IP address-to-username and username-to-user group information for mobile users and users at remote networks. To allow the Panorama that manages your deployment to retrieve group mapping information, you must add one or more next-generation firewalls to your deployment and then designate the firewall as a Master Device. You then create policies in Panorama and enforce the policies using the list of user groups that Panorama retrieved from the Master Device.
Panorama cannot retrieve group mapping information in Prisma Access deployments without next-generation firewalls, because Prisma Access does not have any devices in its device groups that you can specify as a Master Device. If you have a standalone Prisma Access deployment, you can still implement User-ID mapping in policies by using long-form Distinguished Name (DN) entries.

Retrieve Group Mappings Using a Master Device

To allow Panorama to collect group mappings, you need to add a device group, then designate one or more next-generation firewalls as a Master Device. You can configure either an on-premises firewall or a VM-series firewall as a master device.
  • To allow Panorama to collect group mapping information from mobile users, create a device group that specifies the on-premises or VM-series firewall as the Master Device and specify this device group as a Parent Device Group of the Mobile_User_Device_Group device group.
  • To allow Panorama to collect group mapping information from users connected to remote networks, create a device group that specifies the on-premises or VM-series firewall as the Master Device and specify this device group as a Parent Device Group of the Remote_Network_Device_Group device group.
  • To allow Panorama to collect group mapping information from users or resources available through a service connection, create a device group that specifies the on-premises or VM-series firewall as the Master Device and specify this device group as a Parent Device Group of the Service_Conn_Device_Group device group.
Auto-population of users and groups is only applicable to the parent device group that is associated with the master device. Auto-Population of users/groups is not applicable to the child device groups (the Mobile_User_Device_Group, Remote_Network_Device_Group, or Service_Conn_Device_Group, device groups). See Configure an on-premises or VM-Series Firewall as a Master Device for details.
The Master Devices can serve as the termination point of a remote network connection or service connection, but this connection method is not required for the process to work, as shown in the following example. The following figure shows a User-ID deployment where the administrator has configured an on-premises device as a Master Device. Callouts in the figure show the process.
  1. A next-generation on-premises or VM-series firewall that the administrator has configured as a Master Device retrieves the latest User-ID information from the LDAP server and User-ID agent in the data center.
  2. Panorama gets the list of usernames, user group names, and group mapping information from the Master Device.
We recommend using a Group Include List in the LDAP server profile, so that you can specify which groups you want to retrieve, instead of retrieving all group information.

Configure an on-premises or VM-Series Firewall as a Master Device

Use the following procedure to configure an on-premises or VM-series firewall as a Master Device.
  1. Create device groups for mobile users, remote networks, and service connection device groups as required, and specify the on-premises device as the Master Device.
    1. Select PanoramaManaged DevicesDevice Groups.
    2. Add a new device group.
    3. Enter a Name for the device group.
    4. Leave the Parent Device Group as Shared.
    5. In the Devices area, select the Name of the on-premises or VM-Series device that you want to set as the Master Device.
    6. Select Store user and groups from Master Device if Reporting and Filtering on Groups is enabled in Panorama Settings.
      This option allows Panorama to locally store usernames, user group names, and group mapping information that it receives from the Master Device.
    7. Click OK.
      The following screenshot creates a Master Device to be used for the service connection.
  2. Associate the device groups you created for your Prisma Access mobile user, remote network, or service connection deployment.
    • To associate the device group with a mobile user deployment, select PanoramaCloud ServicesConfigurationMobile Users and edit the settings by clicking the gear icon in the Settings area and associate the device group you created for the service connection with the Parent Device Group.
    • To associate the device group with a remote network connection, select PanoramaCloud ServicesConfigurationRemote Networks and edit the settings by clicking the gear icon in the Settings area and associate the device group you created for the remote network connection with the Parent Device Group.
    • To associate the device group with a service connection, select PanoramaCloud ServicesConfigurationService Setup and edit the settings by clicking the gear icon in the Settings area and associate the device group you created for the service connection with the Parent Device Group.
    After you create a parent device group, Prisma Access automatically populates group mapping for the device group that is associated with the master device only. For the previous examples, the auto-population would occur only in the User-ID DG Mobile Users, User-ID DG Remote Connection, and User-ID DG Service Connection device groups, and would not populate to the Mobile_User_Device_Group, Remote_Network_Device_Group, or Service_Conn_Device_Group device groups, respectively.
  3. Click OK.

Implement User-ID in Security Policies For a Standalone Prisma Access Deployment

In a standalone Prisma Access deployment without a Master Device, you can use group-based policy using long-form DN entries in Panorama. Prisma Access uses the DN entries to evaluate the User-ID-based policies you have configured in Panorama.
For example, given a User named Bob Alice who works in IT for Organization Hooli in the United States, a matching security policy may have ou=IT Staff,O=Hooli,C=US if the policy is to be applied to all IT staff, or CN=Bob Alice,ou=IT Staff,O=Hooli,C=US if the policy is only to be applied to Bob Alice.