Make Group Names Selectable in Security Policy Rules Using a Master Device
Focus
Focus

Make Group Names Selectable in Security Policy Rules Using a Master Device

Table of Contents

Make Group Names Selectable in Security Policy Rules Using a Master Device

Use a next-generation or VM-series firewall as a Master Device to add group names to security policy rules in a Panorama Managed Prisma Access deployment.
While configuring Group Mapping in the Cloud Identity Engine performs username-to-user group mapping, those user groups do not populate to security policies. To simplify the creation or modification of group-based policies, you can use a Master Device to add the group names to drop-down lists in security policy rules. You need to designate a firewall as a Master Device for each device group. After you add a Master Device, the device group inherits all policies defined on the master device; for this reason, it should be a standalone, dedicated device to be used for that device group.
To allow selection of group names in drop-down lists in security policies, Palo Alto Networks recommends that you designate a Master Device for each device group. You can configure either an on-premises firewall or a VM-series firewall as a master device.
The following figure shows a User-ID deployment where the administrator has configured an on-premises device as a Master Device. Callouts in the figure show the process.
  1. A next-generation on-premises or VM-series firewall that the administrator has configured as a Master Device retrieves the latest username-to-user group mapping from the LDAP server and User-ID agent in the data center.
  2. Panorama gets the username-to-user group mapping from the Master Device.
    Panorama uses this mapping only for the purposes of populating the group names in drop-down lists in security policies, thus simplifying the creation of policies based on groups.