CIE unable to map user groups

CIE unable to map user groups

2903
Created On 07/17/23 19:39 PM - Last Modified 03/27/26 20:12 PM


Symptom


  • The content of the users group in the security Policy does not match the user group in the cloud identity Engine 
  • The CLI commands below show this behavior.
>show running security-policy 

"CIE-okta; index: 10" {
        from NEW-VPN;
        source x.y.50.100-x.y.50.103;
        source-region none;
        to L3-Untrust;
        destination any;
        destination-region none;
        user [ dev-507.okta.com\contractors dev-507.okta.com\hr-hq dev-507.okta.com\okta-admin ];
        source-device any;
        destination-device any;
        category any;
        application/service 0:any/any/any/app-default;
        action allow;
        icmp-unreachable: no
        terminal yes;
}
admin@VM-firewall> show user group list cloud-identity-engine

dev-507.okta.com\hr-hq
dev-507.okta.com\okta-admin

Total: 2
* : Custom Group
  • From the above command, "dev-507.okta.com\contractors" group is not in the list. 

 

Environment


  • Palo Alto NGFW
  • Prisma Access
  • Cloud Identity Engine

Cause


  •  The reason for this behavior is that the firewall will not pull user groups when there are no members added.
Snapshot displaying Okta user groups

Resolution


  1. Add user(s) into the specified groups. If no valid user currently exists, a dummy user may be used as a workaround.
  2. Once added, the user mappings can be retrieved within CIE.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kIIuCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail