Standalone Prisma Access Group Based Policies

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Standalone Prisma Access Group Based Policies

L2 Linker

I'm trying to implement group-based policies in a standalone Prisma Access deployment. The instructions for achieving this are really lacking. Can anyone clarify how to configure group based policy mapping?

 

From the KB article:

 

Implement User-ID in Security Policies For a Standalone Prisma Access Deployment In a standalone Prisma Access deployment without a Master Device, you can use group-based policy using long-form DN entries in Panorama. Prisma Access uses the DN entries to evaluate the User-ID-based policies you have configured in Panorama. For example, given a User named Bob Alice who works in IT for Organization Hooli in the United States, a matching security policy may have ou=IT Staff,O=Hooli,C=US if the policy is to be applied to all IT staff, or CN=Bob Alice,ou=IT Staff,O=Hooli,C=US if the policy is only to be applied to Bob Alice.

1 REPLY 1

L2 Linker

Hey Raymond,

 

If I understand correctly then your Prisma Access setup is standalone thus there is no on-prem device available on Panorama.

in that situation, at the moment the Panorama is not capable of fetching group mapping today thus we do not see the group name list on Device group rules.

The workaround for this is to use the get Distinguished Name format from the AD server and paste it on the Panorama rules, user column.

 

To get DN format of group name run the below command on the AD server:

 

C:\Users\Administrator>dsquery group -name employee
"CN=Employee,CN=Users,DC=alvisofin,DC=com"

 

In the above example employee is a group name on the AD server.

 

Thanks,

Shakti

 

  • 3484 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!