How to configure User-ID based Policy Rules on Prisma SD-WAN

• To identify traffic flows at the branch and implement appropriate policies to authorize and prioritize the traffic
• To provide greater visibility of statistics at branch.

• Prisma SD-WAN
• User-ID
• Traffic flow
• Software version 6.2.1 and above

1. Set up the connection to the User-ID agent. Refer appropriate documentation.
2. Configure a data center ION device to connect to the User ID Agent in the PAN-OS firewall.

• Select a data center site.
• Click "Configure User Agent"
• Click "Add User Agent"

3.  Configure user attributes.

• Select Manage > System > Identity Management > Cloud Identity Engine
• Click Connect Identity Engine

• User Principal Name—User-id@domain.com
• SAM Account Name—NetBIOS/User-ID format
  When the username format is a SAM Account Name, Prisma SD-WAN supports only the netbios\<user> format and not the domain\<user> format.

4. Add users and/or user groups in policy rules. You can add users or user groups in path, QoS, and security policy rules.

• Select Mange > Policies > Path > Path Stacks > Simple > Select a Stack > Add Rule
• On the Users tab, select a User and/or a Group from the User/ Group drop-down.
• The default value is Any
• An explicitly specified user name has priority over a group name. An explicitly specified group name has priority over any/known/unknown user.

5. Save the configuration

This feature is supported from 6.2.1 version and above.
You can apply User-ID based policies only to "tenant service group (TSG)" compatible tenants.