>
    Retrieve Group Mappings Using a Master Device
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Access
    4. Configure User-ID and User-Based Policies with Prisma Access
    5. Configure Your Prisma Access Deployment to Retrieve Group Mapping
    6. Retrieve Group Mappings Using a Master Device
    Download PDF

    Retrieve Group Mappings Using a Master Device

    Table of Contents

    Retrieve Group Mappings Using a Master Device

    Use a next-generation or VM-series firewall as a Master Device to collect user and group mappings in the Prisma Access deployment.
    To allow Panorama to collect group mappings, you need to add a device group, then designate one or more next-generation firewalls as a Master Device. You can configure either an on-premises firewall or a VM-series firewall as a master device.
    A master device is not the only method you can use to collect user name-to-user group mapping. You can also configure the Directory Sync component of the Cloud Identity Engine to retrieve user and group information from your Active Directory (AD); then, configure Group Mapping Settings in your Mobile Users—GlobalProtect or remote network deployment.
    • To allow Panorama to collect group mapping information from mobile users, create a device group that specifies the on-premises or VM-series firewall as the Master Device and specify this device group as a Parent Device Group of the Mobile_User_Device_Group device group.
    • To allow Panorama to collect group mapping information from users connected to remote networks, create a device group that specifies the on-premises or VM-series firewall as the Master Device and specify this device group as a Parent Device Group of the Remote_Network_Device_Group device group.
    • To allow Panorama to collect group mapping information from users or resources available through a service connection, create a device group that specifies the on-premises or VM-series firewall as the Master Device and specify this device group as a Parent Device Group of the Service_Conn_Device_Group device group.
    Auto-population of users and groups is only applicable to the parent device group that is associated with the master device. Auto-Population of users/groups is not applicable to the child device groups (the Mobile_User_Device_Group, Remote_Network_Device_Group, or Service_Conn_Device_Group, device groups). See Configure an on-premises or VM-Series Firewall as a Master Device for details.
    The Master Devices can serve as the termination point of a remote network connection or service connection, but this connection method is not required for the process to work, as shown in the following example. The following figure shows a User-ID deployment where the administrator has configured an on-premises device as a Master Device. Callouts in the figure show the process.
    1. A next-generation on-premises or VM-series firewall that the administrator has configured as a Master Device retrieves the latest User-ID information from the LDAP server and User-ID agent in the data center.
    2. Panorama gets the list of usernames, user group names, and group mapping information from the Master Device.
    We recommend using a Group Include List in the LDAP server profile, so that you can specify which groups you want to retrieve, instead of retrieving all group information.

    © 2024 Palo Alto Networks, Inc. All rights reserved.