User traffic on a firewall retrieving group information from CIE (Cloud Identity Engine) does not match the expected group-based security policy

User traffic on a firewall retrieving group information from CIE (Cloud Identity Engine) does not match the expected group-based security policy

3016
Created On 08/18/22 08:50 AM - Last Modified 05/31/25 03:23 AM


Symptom


  • The user traffic goes through firewalls intermittently matches the unexpected group-based security rule.
  • A commit sometimes resolves the issue, but sometimes don't.

Environment


  • Firewall working with CIE (Cloud Identity Engine) to fetch the group information for security rule
  • Strata
  • Prisma Access

Cause


  • CIE stops reading other groups/users' info if any domains/groups which are configured in Panorama or firewalls are not found in CIE.

Example:

  • Configure the groups 'test-group' or 'cn=test-group,ou=user groups,dc=test,dc=local' as the source user in security rules on firewalls.
  • Try to retrieve these groups from CIE.
  • If CIE does not have such groups, it stops a sync with CIE, and the firewall does not retrieve the group members, which leads to a policy mismatch.



              
Resolution

Please check the following configurations in all the location (Shared/Vsys) and all the Device Groups/Templates, and remove the invalid groups.

DEVICE tab:

+ Authentication Profile -> [Any Authentication Profiles] -> Advanced -> Allow List
+ Server Profiles -> LDAP -> [Any LDAP Servers] -> Base DN
+ Server Profiles -> LDAP -> [Any LDAP Servers] -> Bind DN
+ User Identification -> Group Mapping Settings -> [Any Group Mappings] -> Group Include List
+ Local User Data Base -> User Groups



NETWORK tab:


+ GlobalProtect -> Portals -> [Any Portals] -> Agent -> [Any CONFIGS] -> Config Selection Criteria -> User/User Group -> USER/USER GROUP
+ GlobalProtect -> Portals ->  [Any Portals]-> Clientless VPN -> Applications -> [Any CONFIGS] -> USER/USER GROUP
+ GlobalProtect -> Gateways ->  [Any Gateways] -> Client Settings -> [Any CONFIGS] -> Config - Selection Criteria -> SOURCE USER



POLICIES tab:


+ Authentication  -> Pre/Post Rules -> [Any rules] -> Source -> SOURCE USER
+ Security -> Pre/Post Rules -> [Any rules] -> Source -> SOURCE USER
+ QoS -> Pre/Post Rules -> [Any rules] -> Source -> SOURCE USER
+ Policy Based Forwarding -> Pre/Post Rules -> [Any rules] -> Source -> SOURCE USER
+ Decryption -> Pre/Post Rules -> [Any rules] -> Source -> SOURCE USER
+ DoS Protection -> Pre/Post Rules -> [Any rules] -> Source -> SOURCE USER


 


              
Additional Information

In the future, we may add more locations for CIE to look up group settings. Kindly check the configuration entirely to find the invalid groups and remove them.




        
       
      





      

        
        
        

    

    

    

      

        
Other users also viewed:

        

             

               
              

        

    

        

        
        

          
Actions

          
    
           
            
            
            
  • 
                Print
            
    • 
            
  • 
            
    • 
            
  • 
              Copy Link
                
                
    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sYmRCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
    
            
    • 
          

        
 

        

         
        

          

            
Choose Language