topic Re: Cloud Identity Engine Directory Sync in Cloud Identity Engine Discussions

Cloud Identity Engine Directory Sync

CCIE11129 — Sat, 11 Dec 2021 02:10:27 GMT

I have Cloud Identity Engine synced to Azure AD and see both groups and users in the hub. I configured a firewall to use CIE, but it doesn't appear to be working. I can see the groups and select them in policies, but no users from those groups are seen on the firewall. "show user cloud-identity-engine client stat" shows groups, but they show as unmapped (not sure if it should show mapped). "show user cloud-identity-engine status all" shows the name of the directory APP, but all stats are 0 or say never. Same with "show user cloud-identity-engine statistics all". Any help would be appreciated.

Re: Cloud Identity Engine Directory Sync

Housing1 — Thu, 03 Mar 2022 22:21:41 GMT

What did you map here? I am having issues like you

Re: Cloud Identity Engine Directory Sync

CCIE11129 — Thu, 03 Mar 2022 23:21:42 GMT

Housing1,

I'm not doing authentication with Cloud Identity Engine. I'm just trying to get the directory sync part of it working.

Re: Cloud Identity Engine Directory Sync

CCIE11129 — Fri, 04 Mar 2022 20:57:24 GMT

I was able to get Cloud Identity Engine working on the firewall. I changed the service interface for "Palo Alto Network Services" to use the outside interface instead of the default management interface. This didn't work at first until I removed the Cloud Identity Engine config on the firewall and re-added it.

With that being said, my new issue is that the CIE group doesn't seem to work for GlobalProtect portal config for agent match criteria. I am able to configure it, but it doesn't seem to work for matching the user even though I see the user and group information on the firewall through CLI which looks correct.

Re: Cloud Identity Engine Directory Sync

Housing1 — Tue, 08 Mar 2022 18:34:47 GMT

Is there an error? maybe in agent log file? I finally got mine working with users and groups in my policies. I haven't tried GlobalProtect yet.

Re: Cloud Identity Engine Directory Sync

CCIE11129 — Tue, 08 Mar 2022 19:01:04 GMT

Thanks for the reply. The error I see is that the user didn't match a policy in the portal.

I have two users in the Azure group that is seen on the firewall via CIE. One user synced from on-prem has the email as the UPN and the other user is a guest in Azure and has a guestuser_email.com#EXT#@xxxxxx.onmicrosoft.com UPN. The users have to log in with email address format to Azure via SAML which works for both users. The on-prem user can map to a portal policy, but guest user cannot. The on-prem user appears in the group with email (same as login), but the guest user shows as UPN which isn't the same as the email login format.

Even though the guest user shows as UPN in the group, the email address used for login is an alternative user id and therefore should be able to map the user to the group referenced in the portal policy. I believe that should be the case.

Re: Cloud Identity Engine Directory Sync

Nisha_Bharadia — Tue, 08 Nov 2022 07:49:16 GMT

Hi All,

I am having an issue whereby we have activated CIE on Panorama however no groups or users are coming through.the command show user cloud-identity-engine client stat" shows 0 for everything. Any ideas?

Re: Cloud Identity Engine Directory Sync

CCIE11129 — Wed, 09 Nov 2022 19:14:31 GMT

I had 0s for everything until I changed Palo Alto Network Services to use the outside interface instead of the management interface.

Re: Cloud Identity Engine Directory Sync

Johande — Tue, 22 Nov 2022 10:56:29 GMT

Have the exact same issue, can't get guest user to select configuration and the user is listed under "Unmapped Groups" when running show user cloud-identity-engine client statistics.

Did you get any further?

Re: Cloud Identity Engine Directory Sync

BenKnorr2 — Thu, 19 Jan 2023 21:00:12 GMT

PanOS 10.2.3-h2

I've configured CIE in Panorama; it shows Enabled. All behavior I see is exactly like all others in this thread. Via CLI, I have zeros on everything relating to CIE.

On the same config elements on a firewall (also connected/managed by panorama FWIW), I have configured in the same way. CLI shows zeros just like with panorama. But... creating a security policy on the firewall and browsing groups shows all groups synched from azureAD. It's there. I haven't found documentation about the CLI commands, nor any relating to CIE and group-mapping beyond "here is a section where you can pick what attributes a group is in your cloud environment."

I double checked this on Panorama by way of creating a sample security rule and browsing for source groups and I got nothing on that end.

Re: Cloud Identity Engine Directory Sync

CCIE11129 — Thu, 19 Jan 2023 21:17:52 GMT

Before I changed the CIE to use outside interface to get it to work, I was seeing the 0 stats and never run under CLI commands. During the period where it showed this, I would select groups in security policies and then see them listed, but could never see a user mapped to it. I think it actually showed in "unmapped" section of the CLI. I put a user in a security policy and then could see the user in CLI but still not mapped to a group. I swore that I could see users and groups in the CLI. Changed to use outside interface to communicate to CIE and everything started working then I could see that previously I wasn't actually seeing info pulled from CIE.

Re: Cloud Identity Engine Directory Sync

PaulArcellx — Fri, 24 May 2024 14:06:42 GMT

This sounds like you had a security policy in your way, and you bypassed it by using an 'untrust' to 'untrust' route instead.