Prisma Access: Learning On-Premises AD Group Mappings

Scenario: An enterprise uses Panorama to manage both on-premises firewalls and Prisma Access for mobile users. GlobalProtect with SAML authentication provides IP-to-user mapping. The goal is to enforce Security Policies in Prisma Access based on user groups defined in their on-premises Active Directory (AD).

Question: How can Prisma Access learn the necessary user-to-group mappings from the on-premises AD?

Correct Method: Assigning a Master Device in Panorama

📘 Explanation

To enforce group-based policies effectively in Prisma Access when user group information resides in an on-premises Active Directory, Prisma Access needs a way to obtain these user-to-group mappings. While Prisma Access doesn't directly query on-premises AD via LDAP, it can leverage Panorama and a designated on-premises firewall (or VM-Series) acting as a "Master Device".

How the Master Device Approach Works:

Master Device Configuration: An existing on-premises firewall (or a dedicated VM-Series instance) is configured with an LDAP Server Profile pointing to the on-premises Active Directory domain controllers. This firewall uses LDAP to query AD and retrieve user and group information.
Master Device Designation in Panorama: Within Panorama, this specific firewall's Device Group is designated as the source for user/group information. This is typically done by setting it as the Parent Device Group for the Prisma Access mobile user device group(s) or by configuring it in User-ID settings referenced by Prisma Access templates/device groups.
Panorama Collects Mappings: Panorama periodically collects the user-to-group mappings learned by the designated Master Device via LDAP.
Policy Creation in Panorama: When administrators create Security Policies in Panorama intended for Prisma Access, Panorama's GUI can now populate dropdown lists with the user groups learned from the Master Device. This allows admins to easily select AD groups as policy criteria.
Policy Push to Prisma Access: When the configuration is pushed from Panorama to Prisma Access, the policies referencing these AD groups are deployed. Prisma Access relies on the IP-to-user mapping (already established via GlobalProtect/SAML) and the group mapping information (learned indirectly via the Master Device/Panorama) to enforce the group-based rules.

Benefits:

Leverages existing on-premises infrastructure (firewall and AD).
Allows administrators to see and select familiar on-premises AD groups directly within the Panorama policy interface when building Prisma Access rules.
Facilitates consistent group-based policy enforcement across both on-premises firewalls and Prisma Access mobile users.

Why Other Options Are Incorrect

1. Learn via SAML assertion:
SAML assertions are primarily for authenticating users and confirming their identity. While they *can* sometimes carry group attributes, they are typically not designed or reliable for providing the comprehensive, frequently updated user-to-group mapping needed for ongoing policy enforcement across numerous groups in the way LDAP/Master Device or Cloud Identity Engine can.
2. Group mapping redistribution between firewall and Prisma Access:
There isn't a direct, native mechanism for an on-premises firewall to "redistribute" its learned group mappings directly to the Prisma Access cloud infrastructure. The communication for group mapping typically flows *through* Panorama (using the Master Device concept) or uses the Cloud Identity Engine.
4. Create group mapping config referencing LDAP profile directly on Prisma Access:
Prisma Access, being a cloud service, generally does not have direct network connectivity or the capability to initiate LDAP queries directly back to on-premises Active Directory domain controllers for group mapping lookups. This function is delegated to components like an on-premises Master Device or the Cloud Identity Engine.

✅ Summary: Utilizing a Master Device configured in Panorama is a key method for Prisma Access to learn on-premises Active Directory group memberships, enabling consistent group-based policy enforcement for mobile users managed by Panorama.