Firewall is not retrieving Group Mappings from the Cloud Identity Engine
6024
Created On 07/05/22 13:37 PM - Last Modified 03/15/24 01:53 AM
Symptom
- Groups are Synchronized in the Cloud Identity Engine
- User or User Groups are not synced to the Firewall.
Environment
- Pan OS 10.1 and above.
- Cloud identity engine
- Group Mapping
Cause
User or User Groups are not called in the Security Policy Manually.
Resolution
- Include the user groups in the security Policy.
- The firewall collects attributes only for the users and groups that you use in security policy rules, not all users and groups in the directory.
- Group DN (Distinguished Name) can be added in the security policy manually to start sync from the CIE.
Additional Information
- Before adding users/groups in security policy, No users or groups are seen on Firewall
user@fw1> show user cloud-identity-engine statistics all
Dir Sync Profile : UoS - Cloud Identity Engine
........
Last Query (Total Time Taken): 0
Total Updates : 0
No of Full Group Queries : 0
No of Incr Group Queries : 0
No of Groups : 0
No of Groups Found (Last Update): 0
- After adding users/groups manually in security policy we were able to fetch any users/groups:-
user@fw1>> show user cloud-identity-engine statistics all
Dir Sync Profile : UoS - Cloud Identity Engine
..........
Last Query (Total Time Taken): 271.246232ms
Total Updates : 6
No of Full Group Queries : 6
No of Incr Group Queries : 0
No of Groups : 0
No of Groups Found (Last Update): 0