So that you can enforce your security policy consistently, Prisma Access shares identity data that GlobalProtect discovers locally across your entire Prisma Access environment. Prisma Access can also share identity data with on-premises devices at remote network sites or service connection sites (HQ and data centers).

For mobile users to access a resource at a remote network location or HQ/data center that’s secured by a device with user-based policies, you must redistribute the identity data from the Prisma Access mobile users and users at remote networks to that on-premises device.

When the users connect to Prisma Access, Prisma Access collects the user’s identity data and stores it.

The following example shows two mobile users that have an existing IP address-to-username mapping in Prisma Access. Prisma Access then redistributes this mapping by way of a service connection to the on-premises devices that’s securing the HQ/data center.

Prisma Access (Managed by Strata Cloud Manager) automatically enables service connections to work as identity redistribution agents (also called User-ID agents).