How to match the GlobalProtect Portal or Gateway agent configuration by email username with CIE?

This article provides instructions to match the GlobalProtect agent configuration using Distinguished Name or Email Address (User Principal Name or UPN).

• Palo Alto Firewalls
• Supported PAN-OS versions
• GlobalProtect Portal
• GlobalProtect Gateway
• GlobalProtect App
• Cloud Identity Engine (CIE)

1. Navigate to Device > User Identification > Cloud Identity Engine and edit the following settings:
   1. Within User Attributes tab, change Primary Username field to "User Principal Name" and E-Mail field to "Mail".
      
   2. Within Group Attributes tab, Group Name field can be set to either to "Distinguished Name" (DN) or "Name". Make sure the user group name in the security policy matches the group attribute format.
      
   3. Add the email username or DN user group to the GP Portal or Gateway agent configuration.
       

The user group list and user-to-group information can be checked using the following commands.

admin@PANOS-FW> show user group list
cn=vpn-users,dc=khanit,dc=tech
Total: 1
* : Custom Group

admin@PANOSFW> show user group name “cn=vpn-users,dc=khanit,dc=tech”
source type: cloud
Group type: Directory Sync Service
[1     ] sahan@khanit.tech
[2     ] sraque@khanit.tech
[3     ] admin123@khanit.tech

Note: In order to view the CIE groups on the firewall's CLI, those groups need to be referenced in the security policy via GUI and perform a commit.