Redistribute User-ID Information From Prisma Access to an
On-Premise Firewall
Shows the steps you take to redistribute User-ID information
from Prisma Access to an on-premise firewall.
In cases where mobile users need to access
a resource on a remote network location or HQ/data center and the
resource is secured by an on-premises next-generation firewall with user-based
policies, you must redistribute IP address-to-user name mapping
from the Prisma Access mobile users and users at remote networks
to the on-premises firewall. When the user connects to Prisma Access,
it collects this user-to-IP address mapping and stores it.
The
following figure shows two mobile users that have an existing IP
address-to-username mapping in Prisma Access. Prisma Access then
redistributes this mapping by way of a either a service connection (SC-CAN)
or remote network connection (RN-SPN) to the on-premises firewall
that secures the HQ/data center.
Prisma Access uses
the service connection or remote network connection as an IPSec tunnel
that serves as the underlay path to the Layer 3 network. You can
use any route path over an IPSec trusted tunnel for privately addressed
destinations to redistribute this mapping.
To redistribute
User-ID mappings from Prisma Access to an on-premises firewall,
complete the following steps.
Make sure you do not apply
any SSL decryption on any connection that redistributes user identity
to the on-premises firewall (the SC-CAN or RN-SPN), including any
firewalls that are in the redistribution path. Alternatively, you
can apply a decryption exclusion to
the redistribution traffic.
Make a note of the IP address to use when you
configure the data redistribution agent.
For remote network connections, find the
EBGP
Router
address (
Panorama
Cloud Services
Status
Network Details
Remote Networks
EBGP Router
).
For service connections, find the
User-ID Agent
Address
(
Panorama
Cloud Services
Status
Network Details
Service Connection
User-ID Agent Address
).
Configure
Prisma Access as a User-ID agent that redistributes user mapping
information.
In the Panorama that manages Prisma Access,
select
Device
Data
Redistribution
Collector Settings
.
To configure the collector on a service connection, select
the
Service_Conn_Template
; to configure the
collector on a remote network connection, select the
Remote_Network_Template
Click the gear icon to edit the settings.
Provide a
Collector Name
and
a
Collector Pre-Shared Key
to identify Prisma
Access as a User-ID agent.
Click
OK
to save your changes.
Configure the on-premises firewall to collect the User-ID
mapping from Prisma Access.
From the on-premises firewall, select
Device
Data Redistribution
Agents
.
Add
a User-ID Agent and give
it a
Name
.
Select
Host and Port
.
Enter the
User-ID Agent Address
(for
a service connection) or
EBGP Router Address
(for
a remote network connection) from Prisma Access in the
Host
field.
Enter the
Collector Name
and
Collector
Pre-Shared Key
for the Prisma Access collector you created
in Step 2.
Select
IP User Mappings
.
Click
OK
.
Repeat these steps for each service connection or
remote network connection for which you want to redistribute mappings.