https://live.paloaltonetworks.com/t5/prisma-access-discussions/using-cloud-identity-engine-to-enforce-group-based-policies-in/m-p/575081#M679 <P>Awesome thanks..</P> Wed, 31 Jan 2024 11:07:13 GMT PA_nts 2024-01-31T11:07:13Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/using-cloud-identity-engine-to-enforce-group-based-policies-in/m-p/573449#M667 <P>Hi All,</P> <P>Question on retrieving user-group mappings only, using Cloud Identity Engine to enforce group-based policies.</P> <P>&nbsp;</P> <P>So i have this setup at the moment:<BR />Panorama managed FWs in Azure with Global protect (works)<BR />The FWs use SAML currently for authenticating GP users against Azure AD (works)</P> <P>Additionally, what I want to achieve is the following.<BR />To setup group-based policies on the FW to allow for instance:</P> <P>Source: Zone - GP_VPN<BR />user group: GROUP_SALES can access Zone TRUST - 10.10.10.0/24 on https only<BR /><BR />Source: Zone - GP_VPN<BR />user group: GROUP_HR can access zone TRUST 10.20.20.0/24 on https only</P> <P>&nbsp;</P> <P>Source: Zone - GP_VPN<BR />user group: GROUP_Accounts can access zone TRUST 10.30.30.0/24 on https only</P> <P><BR />So I only want the FW to enforce Azure AD-Group based policies for users connecting via Globalprotect.</P> <P>&nbsp;</P> <P>So from what I can tell, this is possible with Cloud Identity Engine.</P> <P>&nbsp;</P> <P>questions:<BR />will this work and not affect my current SAML config.<BR />do i need to enable/configure user-id (not enabled atm anywhere)</P> <P>&nbsp;</P> <P>so looking at this doc from PAN, it seems to do what I want to do.. but just need a second pair of eyes please.</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-users-with-the-cloud-identity-engine/configure-the-cloud-identity-engine-as-a-mapping-source-on-the-firewall" target="_blank">https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-users-with-the-cloud-identity-engine/configure-the-cloud-identity-engine-as-a-mapping-source-on-the-firewall</A></P> <P>&nbsp;</P> <P>thanks in adv</P> Thu, 18 Jan 2024 10:15:56 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/using-cloud-identity-engine-to-enforce-group-based-policies-in/m-p/573449#M667 PA_nts 2024-01-18T10:15:56Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/using-cloud-identity-engine-to-enforce-group-based-policies-in/m-p/575061#M677 <P>you need to ensure the GP_VPN zone has user-id enabled, that ensures user-ids are mapped and logged etc</P> <P>afterwards you can connect CIE, without causing impact, this will simply load all your available groups to the firewall</P> <P>once that's done you can start adding groups to security rules</P> Wed, 31 Jan 2024 08:44:48 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/using-cloud-identity-engine-to-enforce-group-based-policies-in/m-p/575061#M677 reaper 2024-01-31T08:44:48Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/using-cloud-identity-engine-to-enforce-group-based-policies-in/m-p/575081#M679 <P>Awesome thanks..</P> Wed, 31 Jan 2024 11:07:13 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/using-cloud-identity-engine-to-enforce-group-based-policies-in/m-p/575081#M679 PA_nts 2024-01-31T11:07:13Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/using-cloud-identity-engine-to-enforce-group-based-policies-in/m-p/579001#M705 <P>quick update..</P> <P>CIE app activated, Azure config done, CIE can connect and i can see user groups/names etc within CIE App.. all good.</P> <P>however stuck on the FWs..</P> <P>i have panorama with managed FWs..</P> <P>in the template group i configured CIE with the tenant and domain info (auto retrieved so tells me it connects ok) - changes committed.</P> <P>In Panorama, if i go into a security rule on my device group policy, i am unable to pull the user details..</P> <P>however If i change to the FW context and create a dummy rule, then i am able to see the users/groups pulled from CIE</P> <P>&nbsp;</P> <P>so not sure why this is.</P> <P>I have configured CIE profile only in panorama&gt;device&gt;User Identification&gt; Cloud Identity Engine</P> <P>&nbsp;</P> <P>i followed this doc. but stuck at step 8 <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-users-with-the-cloud-identity-engine/configure-the-cloud-identity-engine-as-a-mapping-source-on-the-firewall" target="_blank">https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-users-with-the-cloud-identity-engine/configure-the-cloud-identity-engine-as-a-mapping-source-on-the-firewall</A></P> <P>&nbsp;</P> <P>any ideas?</P> <P>thanks</P> <P>&nbsp;</P> Fri, 01 Mar 2024 11:06:01 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/using-cloud-identity-engine-to-enforce-group-based-policies-in/m-p/579001#M705 PA_nts 2024-03-01T11:06:01Z