I'm trying to implement group-based policies in a standalone Prisma Access deployment. The instructions for achieving this are really lacking. Can anyone clarify how to configure group based policy mapping?
From the KB article:
Implement User-ID in Security Policies For a Standalone Prisma Access Deployment In a standalone Prisma Access deployment without a Master Device, you can use group-based policy using long-form DN entries in Panorama. Prisma Access uses the DN entries to evaluate the User-ID-based policies you have configured in Panorama. For example, given a User named Bob Alice who works in IT for Organization Hooli in the United States, a matching security policy may have ou=IT Staff,O=Hooli,C=US if the policy is to be applied to all IT staff, or CN=Bob Alice,ou=IT Staff,O=Hooli,C=US if the policy is only to be applied to Bob Alice.
If I understand correctly then your Prisma Access setup is standalone thus there is no on-prem device available on Panorama.
in that situation, at the moment the Panorama is not capable of fetching group mapping today thus we do not see the group name list on Device group rules.
The workaround for this is to use the get Distinguished Name format from the AD server and paste it on the Panorama rules, user column.
To get DN format of group name run the below command on the AD server:
C:\Users\Administrator>dsquery group -name employee
In the above example employee is a group name on the AD server.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!