Prisma Access User-Based Policy (Panorama)

1. Configure IP address-to-username mapping for your mobile users and users at remote network locations.

   • For Mobile Users—GlobalProtect deployments, the GlobalProtect agent in Prisma Access automatically performs User-ID mapping.
   • For users at remote networks, Configure User-ID for Remote Network Deployments to map IP addresses to User IDs.
2. Configure username-to-user group mapping for your mobile users and users at remote network locations.

   For Mobile Users—GlobalProtect, Explicit Proxy, and remote network deployments, configure the Directory Sync component of the Cloud Identity Engine to retrieve user and group information from your Active Directory (AD); then, configure Group Mapping Settings in your Mobile Users—GlobalProtect or remote network deployment.

   Alternatively, you can enable username-to-user group mapping for mobile users and users at remote networks using an LDAP server profile.

   We recommend using a Group Include List in the LDAP server profile, so that you can specify which groups you want to retrieve, instead of retrieving all group information.
3. Allow Panorama to use username-to-user group mapping in security policies by completing one of the following actions:

   • Configure the Directory Sync component of the Cloud Identity Engine to retrieve user and group information from your Active Directory (AD); then, configure Group Mapping Settings in your Mobile Users—GlobalProtect, Mobile Users—Explicit Proxy, or remote network deployment.
   • Configure group-based policy by specifying the full distinguished name (DN) of the group.
4. Redistribute HIP information to Panorama.