How to add CIE to Prisma template in On-Prem Panorama?

How to add CIE to Prisma template in On-Prem Panorama?

602
Created On 07/24/23 04:50 AM - Last Modified 10/31/25 18:08 PM


Objective


From GUI, we only have the option to add CIE to the device group but not to templates. Also, the Prisma template will be in read-only mode. We can manually add the users and groups in the Global Protect portal of the Prisma access (panorama-managed template). However, if there are huge number of users and groups, it is a cumbersome task for Admin.

This article demonstrates a method to add CIE to Prisma template in an OnPrem Panorama. Same process can be used to add User ID master device.
 

Environment


  • OnPrem Panorama
  • Prisma access
  • Global Protect

Procedure


There are two methods depending on the stage of deployment

  1. Initial stages of deployment.
  2. Prisma is already deployed (Panorama managed)

I. When in Initial stages of deployment

1. Below snapshot shows how it looks if the tenant is not configured and the template stack is not called under the tenant:

image.png

2. Under Panorama > Template-stack (Use the Cloud Services plugin to edit) rn-stk-(tenant name), the template is not read-only state and the option to select the CIE or User ID Master Device is allowed.

image (3).png

3. Once the tenant is configured and the template is called under Remote network-->Settings as shown in the below screenshots, we can't edit the template as it is now in read-only mode. Follow second method for any further modifications to the configuration.

Screenshot 2023-07-17 at 1.14.26 PM.png

Screenshot 2023-07-24 at 2.26.44 PM.png



II. Prisma is already deployed (Panorama managed)

1. Login to the CLI of the Panorama with a superuser account. Go to configuration mode 
lab@Panorama1> configure
2. Enter following command to add CIE to template stack:

lab@Panorama1# set template-stack <template-stack-name> user-group-source cloud-identity-engine Test2

3. Before committing the change, verify through GUI if the group/s are visible as per the screenshot below. Screenshot 2023-07-17 at 1.29.26 PM.png

4. Commit the changes:

lab@Panorama1# commit
5. Verify changes under the Panorama > Template-stack > mu-stk-Rphilip
Screenshot 2023-07-17 at 12.31.28 PM.png
 

 

 

Additional Information


To delete CIE or User ID master device from the template stack, similar process can be used:

lab@Panorama1# delete  template-stack (mu-stk-Rphilip) user-group-source cloud-identity-engine Test2


lab@Panorama1# commit

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kIMNCA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail