Firewall is unable to pull user groups from CIE

Firewall is unable to pull user groups from CIE

4147
Created On 05/11/23 18:34 PM - Last Modified 04/12/24 02:33 AM


Symptom


  • Output of "show user group list cloud-identity-engine" shows 0 
admin@labfw> show user group list cloud-identity-engine

Total: 0  <<<
* : Custom Group
  • In dscd.log, it shows the response as "404 Not Found"
dscd.log
======
{"level":"error","time":"2023-04-18T18:57:22.025130717Z","message":"Failed to get response for Query : {\"tenantId\":\"668049895389801270\",\"domain\":\"fifa.org\",\"useNormalizedAttrs\":\"true\",\"attrs\":[\"User Principal Name\",\"Name\",\"SAM Account Name\",\"Mail\",\"WhenChanged\"],\"filter\":{\"type\":\"group\",\"level\":\"recursive\",\"name\":{\"attrName\":\"Name\",\"attrValue\":\"jva9000\",\"match\":\"equal\"}},\"page\":{\"pageNum\":1,\"pageSz\":1000}}. Response = 404 Not Found "}


Environment


  • Cloud Identity Engine (CIE)
  • Supported PAN-OS

Cause


Group-name attribute of the CIE profile does not match the format of the group name configured in the policy or any other config

Resolution


Configure the same group-name attribute as Common-Name or Distinguished-Name under the CIE profile as it is used in the security policy or any other config

Additional Information


Configure the Cloud Identity Engine as a Mapping Source on the Firewall or Panorama
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHrjCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail