CIE unable to map user groups

CIE unable to map user groups

2566
Created On 07/17/23 19:39 PM - Last Modified 06/18/25 21:11 PM


Symptom


  • The content of the users group in the security Policy does not match the user group in the cloud identity Engine 
  • The CLI commands below show this behavior.
>show running security-policy 

"CIE-okta; index: 10" {
        from NEW-VPN;
        source x.y.50.100-x.y.50.103;
        source-region none;
        to L3-Untrust;
        destination any;
        destination-region none;
        user [ dev-507.okta.com\contractors dev-507.okta.com\hr-hq dev-507.okta.com\okta-admin ];
        source-device any;
        destination-device any;
        category any;
        application/service 0:any/any/any/app-default;
        action allow;
        icmp-unreachable: no
        terminal yes;
}
admin@VM-firewall> show user group list cloud-identity-engine

dev-507.okta.com\hr-hq
dev-507.okta.com\okta-admin

Total: 2
* : Custom Group
  • From the above command, "dev-507.okta.com\contractors" group is not in the list. 

 

Environment


  • Any Palo Alto Networks firewall
  • Cloud Identity Engine

Cause


  •  The reason for this behavior is that the firewall will not pull user groups when there are no members added.
Snapshot displaying Okta user groups

Resolution


  1. Add user(s) into the specified groups.
  2. Once added, the user mappings can be retrieved within CIE.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kIIuCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail