Configure User-ID in Prisma Access

1. Configure IP address-to-username mapping for your mobile users and users at remote network locations.
   • For Mobile Users—GlobalProtect deployments, the GlobalProtect agent in Prisma Access automatically performs User-ID mapping.
   • For users at remote networks, configure User-ID for your remote network locations to map IP addresses to User IDs.
2. Configure username-to-user group mapping for your mobile users and users at remote network locations.
   For Mobile Users—GlobalProtect, Explicit Proxy, and remote network deployments, configure the Directory Sync component of the Cloud Identity Engine to retrieve user and group information from your Active Directory (AD); then, configure Group Mapping Settings in your Mobile Users—GlobalProtect or remote network deployment

   Alternatively, you can enable group mapping for mobile users and for users at remote networks using an LDAP server profile.

   We recommend using a Group Include List in the LDAP server profile, so that you can specify which groups you want to retrieve, instead of retrieving all group information.
3. Allow Panorama to use group mappings in security policies by completing one of the following actions:
   • Configure the Directory Sync component of the Cloud Identity Engine to retrieve user and group information from your Active Directory (AD); then, configure Group Mapping Settings in your Mobile Users—GlobalProtect or remote network deployment.
     The Cloud Identity Engine does not auto-populate user and group information to security policy rules and to Panorama. To simplify rule creation based on user and group information, use a master device.
   • Configure one or more next-generation on-premises or VM-series firewalls as a Master Device.
   • Configure group-based policy by specifying the full distinguished name (DN) of the group.
4. Redistribute HIP information to Panorama.