https://live.paloaltonetworks.com/t5/prisma-access-discussions/standalone-prisma-access-group-based-policies/m-p/332976#M103 <DIV class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"><DIV class="lia-message-body-content"><P>I'm trying to implement group-based policies in a standalone Prisma Access deployment. The instructions for achieving this are really lacking. Can anyone clarify how to configure group based policy mapping?</P><P>&nbsp;</P><P>From the KB article:</P><P>&nbsp;</P><P><STRONG>Implement User-ID in Security Policies For a Standalone Prisma Access Deployment In a standalone Prisma Access deployment without a Master Device</STRONG>, you can use group-based policy using long-form DN entries in Panorama. Prisma Access uses the DN entries to evaluate the User-ID-based policies you have configured in Panorama. For example, given a User named Bob Alice who works in IT for Organization Hooli in the United States, a matching security policy may have ou=IT Staff,O=Hooli,C=US if the policy is to be applied to all IT staff, or CN=Bob Alice,ou=IT Staff,O=Hooli,C=US if the policy is only to be applied to Bob Alice.</P></DIV></DIV> Thu, 11 Jun 2020 15:00:44 GMT RaymondMullin 2020-06-11T15:00:44Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/standalone-prisma-access-group-based-policies/m-p/332976#M103 <DIV class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"><DIV class="lia-message-body-content"><P>I'm trying to implement group-based policies in a standalone Prisma Access deployment. The instructions for achieving this are really lacking. Can anyone clarify how to configure group based policy mapping?</P><P>&nbsp;</P><P>From the KB article:</P><P>&nbsp;</P><P><STRONG>Implement User-ID in Security Policies For a Standalone Prisma Access Deployment In a standalone Prisma Access deployment without a Master Device</STRONG>, you can use group-based policy using long-form DN entries in Panorama. Prisma Access uses the DN entries to evaluate the User-ID-based policies you have configured in Panorama. For example, given a User named Bob Alice who works in IT for Organization Hooli in the United States, a matching security policy may have ou=IT Staff,O=Hooli,C=US if the policy is to be applied to all IT staff, or CN=Bob Alice,ou=IT Staff,O=Hooli,C=US if the policy is only to be applied to Bob Alice.</P></DIV></DIV> Thu, 11 Jun 2020 15:00:44 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/standalone-prisma-access-group-based-policies/m-p/332976#M103 RaymondMullin 2020-06-11T15:00:44Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/standalone-prisma-access-group-based-policies/m-p/340141#M127 <P>Hey Raymond,</P><P>&nbsp;</P><P>If I understand correctly then your Prisma Access setup is standalone thus there is no on-prem device available on Panorama.</P><P>in that situation, at the moment the Panorama is not capable of fetching group mapping today thus we do not see the group name list on Device group rules.</P><P>The workaround for this is to use the get Distinguished Name format from the AD server and paste it on the Panorama rules, user column.</P><P>&nbsp;</P><P>To get DN format of group name run the below command on the AD server:</P><P>&nbsp;</P><P>C:\Users\Administrator&gt;<STRONG>dsquery group -name employee</STRONG><BR />"CN=Employee,CN=Users,DC=alvisofin,DC=com"</P><P>&nbsp;</P><P>In the above example <STRONG>employee</STRONG> is a group name on the AD server.</P><P>&nbsp;</P><P>Thanks,</P><P>Shakti</P><P>&nbsp;</P> Wed, 22 Jul 2020 19:18:19 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/standalone-prisma-access-group-based-policies/m-p/340141#M127 shkumar 2020-07-22T19:18:19Z