topic Cloud Identity Engine (CIE) and group mapping on firewalls - Groups and/or group membership updates not working as expected in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/cloud-identity-engine-cie-and-group-mapping-on-firewalls-groups/m-p/566067#M2117 <P>I just wanted to let more folks know about this KB article concerning Cloud Identity Engine (CIE) and group mapping on firewalls. Knowing about this issue documented in the KB ahead of time would have saved a <EM>lot</EM> of frustration for us. Its information that SHOULD be in the main documentation, but isn't.</P> <P>&nbsp;</P> <P><EM>"How to push Cloud Identity Engine (CIE) managed group-mapping to the Firewalls"</EM></P> <UL> <LI><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkppCAA" target="_self">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkppCAA</A></LI> </UL> <P>&nbsp;</P> <P><STRONG>What Happened</STRONG></P> <P>We have Prisma Access. (This would also apply to GlobalProtect VPN and any use case that needs groups and group membership coming from CIE.) We have an Internal Gateway defined. The firewalls use a group sourced from CIE to gate who can connect to the Internal Gateway. The group existed, but the membership was not being updated. It had 58 members on the firewall. It has 149 members on CIE.&nbsp;</P> <P>&nbsp;</P> <P><STRONG>What You Need To Do (KB Article Summary)</STRONG></P> <P>If you have groups in your firewalls that come from Cloud Identity Engine (CIE), those groups MUST be added under the Security Policy somewhere for the firewall to properly pick them up and keep the memberships up to date.</P> <P>&nbsp;</P> <P><STRONG>Impact</STRONG></P> <P>If you don't do this, the firewall may or may not get the group and/or may not apply updates to the group membership.&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Workaround / Fix:</STRONG></P> <P>After reading the KB article, I ended up defining a do-nothing, impossible to satisfy, rule at the bottom of my security policy that references the CIE groups I needed. Group mapping, specifically getting group membership updates, started working properly as soon as the firewall commit was completed.</P> <P>&nbsp;</P> <P>Hope this is useful information for other folks!</P> <P><LI-PRODUCT title="NGFW" id="NGFW"></LI-PRODUCT>&nbsp;<LI-PRODUCT title="Cloud Identity" id="Cloud_Identity"></LI-PRODUCT>&nbsp;</P> Fri, 17 Nov 2023 01:11:42 GMT jjhernandez 2023-11-17T01:11:42Z Cloud Identity Engine (CIE) and group mapping on firewalls - Groups and/or group membership updates not working as expected https://live.paloaltonetworks.com/t5/next-generation-firewall/cloud-identity-engine-cie-and-group-mapping-on-firewalls-groups/m-p/566067#M2117 <P>I just wanted to let more folks know about this KB article concerning Cloud Identity Engine (CIE) and group mapping on firewalls. Knowing about this issue documented in the KB ahead of time would have saved a <EM>lot</EM> of frustration for us. Its information that SHOULD be in the main documentation, but isn't.</P> <P>&nbsp;</P> <P><EM>"How to push Cloud Identity Engine (CIE) managed group-mapping to the Firewalls"</EM></P> <UL> <LI><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkppCAA" target="_self">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkppCAA</A></LI> </UL> <P>&nbsp;</P> <P><STRONG>What Happened</STRONG></P> <P>We have Prisma Access. (This would also apply to GlobalProtect VPN and any use case that needs groups and group membership coming from CIE.) We have an Internal Gateway defined. The firewalls use a group sourced from CIE to gate who can connect to the Internal Gateway. The group existed, but the membership was not being updated. It had 58 members on the firewall. It has 149 members on CIE.&nbsp;</P> <P>&nbsp;</P> <P><STRONG>What You Need To Do (KB Article Summary)</STRONG></P> <P>If you have groups in your firewalls that come from Cloud Identity Engine (CIE), those groups MUST be added under the Security Policy somewhere for the firewall to properly pick them up and keep the memberships up to date.</P> <P>&nbsp;</P> <P><STRONG>Impact</STRONG></P> <P>If you don't do this, the firewall may or may not get the group and/or may not apply updates to the group membership.&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Workaround / Fix:</STRONG></P> <P>After reading the KB article, I ended up defining a do-nothing, impossible to satisfy, rule at the bottom of my security policy that references the CIE groups I needed. Group mapping, specifically getting group membership updates, started working properly as soon as the firewall commit was completed.</P> <P>&nbsp;</P> <P>Hope this is useful information for other folks!</P> <P><LI-PRODUCT title="NGFW" id="NGFW"></LI-PRODUCT>&nbsp;<LI-PRODUCT title="Cloud Identity" id="Cloud_Identity"></LI-PRODUCT>&nbsp;</P> Fri, 17 Nov 2023 01:11:42 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/cloud-identity-engine-cie-and-group-mapping-on-firewalls-groups/m-p/566067#M2117 jjhernandez 2023-11-17T01:11:42Z