Caveats for Redistributing User-Id info from Prisma Access to on-prem firewalls

KPawlak — Thu, 25 Mar 2021 05:22:29 GMT

At the time of this writing, the process for redistributing User-ID info from Prisma Access to on-prem firewalls is documented publicly here:

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/redistribute-userid-information-for-users-and-networks

However this document does not capture an important caveat. In the case of multiple Service Connections existing, each GlobalProtect Gateway nodes will share the User-ID info with 1 of the Service Connection nodes, usually the closest node to it. For example I was working on a tenant with Service Connections in US-West and Us-Northwest. When I logged into a gateway based in US-Northwest, the US-Northwest Service connection received my user-id info, but the US-West Service Connection did not.

This is important because if you're going to follow the above linked process, you will have to reference multiple/all service connections user agent IP addresses in order to get the info on all users coming in via GlobalProtect. I suggest using the following resources to identify if user <-> ip mappings have propagated to the local firewalls:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5bCAC

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClR1CAK

And as always, after you redistribute, make sure to enable User-ID on the zones on the on-prem firewalls.

topic Caveats for Redistributing User-Id info from Prisma Access to on-prem firewalls in Prisma Access Discussions

Caveats for Redistributing User-Id info from Prisma Access to on-prem firewalls