How to configure panorama to pull group mapping information from a managed firewall with the master device

How to configure panorama to pull group mapping information from a managed firewall with the master device

42549
Created On 10/09/19 03:21 AM - Last Modified 10/23/21 02:22 AM


Objective
List the steps required to configure panorama to pull group mapping from a managed firewall.

Environment
  • Palo Alto Firewalls.
  • Panorama Appliances
  • PAN-OS 8.1 and above.


Procedure
When the firewall is being managed by Panorama, the user and group mapping list can be pulled to panorama for use in policies. Steps to accomplish the same are listed below:
  1. On Panorama, "Enable reporting and filtering on groups" using GUI: Panorama > Setup > Management > Panorama Settings
User-added image
 
  1. Enable the setting of "Store users and groups from the master device if reporting and filtering of groups is enabled in Panorama settings" under Panorama > Device Groups > (device group name). The example below is for device group name VM-300-197. Note that this setting is only seen when you select a Master Device.

User-added image
 
  1. Commit the changes to Panorama. Now group information of the firewall is seen on Panorama.
  2. Now the groups can be added in the security policy rules under the "user" tab. Example below.
Security Policy Rule


 


Additional Information
Configuring Group Mappings on Firewalls using Panorama without the master device.

 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language