How to push Cloud Identity Engine (CIE) managed group-mapping to the Firewalls
26609
Created On 07/01/22 23:41 PM - Last Modified 03/31/23 05:51 AM
Objective
To push the Cloud identity Engine managed group-mapping to the firewalls
Note: The Cloud Identity Engine consists of two components: Directory Sync, which provides user information, and the Cloud Authentication Service, which authenticates users. For a more comprehensive identity solution, Palo Alto Networks recommends using both components, but you can configure the components independently.
Environment
- Prisma Access
- Cloud Identity Engine Activated and configured
Procedure
In order to push Cloud Identity Engine (CIE) managed group-mappings to the Firewalls, those groups need to be added under the Security Policy first (for example, by specifying one or more users or groups that the firewall retrieves from the Cloud Identity Engine as the Source User).
The firewall collects attributes only for the users and groups that you use in security policy rules, not all users and groups in the directory.
Adding them to the Decryption Policy or Authentication policy or Application Override Policy will NOT push the groups to the firewalls.
- If you create a dummy security policy to push these CIE managed groups and later on delete the dummy policy, the groups will still be present for sometime but after the next auto/manual group-mapping refresh those will get removed causing traffic not to work as expected.
-
Do the customers need to do anything special after adding new users to the group via AD outside of waiting for CIE to sync?
Answer: After adding the new users to the AD, CIE will sync automatically but if you want to perform a 'manual' sync, you can do that from the CIE App on the Hub Portal. Firewalls will refresh periodically to get the latest group-mapping information
- While adding the groups to a security policy first in order to use them elsewhere is an additional step to push the group-mappings on the devices, currently this is by design and it will be a Feature Request (FR) to make this change. Customers can ask their Palo Alto Networks’ System Engineers (SEs) to file a Feature request and our Product team will review them for future product enhancements but unfortunately there is no ETA on when any FR will be implemented.
Additional Information
Use Case:
- Customer has a security rule to allow all SSL traffic for all the users in their company.
- Customer would like to decrypt this SSL traffic for a few groups which he has configured and synced to CIE Hub app.
- In order to push these groups to the firewalls, the customer has to allow those groups in the security policy. Only then those groups will be pushed to the Firewalls. Refer Cloud Identity Engine