Prisma Access with CIE

pavel.zemtsov — Wed, 11 Sep 2024 01:31:09 GMT

Hi All,

Need your assistance. The problem is that test rule with user group doesn't have any hits. The users generating traffic are definitely part of the group.

Setup:

Prisma Access managed from On-prem Panorama.

CIE with AD sync. Users and groups are visible from CIE dashboard.

When policy rule configured I can choose from the groups list.

Unfortunately, there are no firewalls to verify if I can get user group membership from CIE.

I have concern regarding upper and lower case letters in the group name. *(DB article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sY3lCAE)

AD name: CN=WebAccess-Basic,OU=User,OU=myou,OU=ANOTHEROU,DC=ad,DC=MYDC,DC=org,DC=au

Policy rule name from the drop down list: cn=webaccess-basic,ou=user,ou=myou,ou=anotherou,dc=ad,dc=mydc,dc=org,dc=au

The only confusing thing is that I'm getting the drop down list from CIE, I can't believe it gives me the wrong format. And if so, then I'll need to make changes to each group I'm going to use through Group Mapping setting in Prisma device group, right?

I've attached some screenshots with configuration/settings for reference.

Re: Prisma Access with CIE

uthankappanpi — Mon, 16 Sep 2024 16:03:09 GMT

@pavel.zemtsov wrote:

Hi All,

Need your assistance. The problem is that test rule with user group doesn't have any hits. The users generating traffic are definitely part of the group.

Setup:

Prisma Access managed from On-prem Panorama.

CIE with AD sync. Users and groups are visible from CIE dashboard.

When policy rule configured I can choose from the groups list.

Unfortunately, there are no firewalls to verify if I can get user group membership from CIE.

I have concern regarding upper and lower case letters in the group name. *(DB article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sY3lCAE)

AD name: CN=WebAccess-Basic,OU=User,OU=myou,OU=ANOTHEROU,DC=ad,DC=MYDC,DC=org,DC=au

Policy rule name from the drop down list: cn=webaccess-basic,ou=user,ou=myou,ou=anotherou,dc=ad,dc=mydc,dc=org,dc=au

The only confusing thing is that I'm getting the drop down list from CIE, I can't believe it gives me the wrong format. And if so, then I'll need to make changes to each group I'm going to use through Group Mapping setting in Prisma device group, right?

I've attached some screenshots with configuration/settings for reference.

@pavel.zemtsov

You said the Test Rule with the user group doesn't have any hits and assuming that it doesn't have any spaces and all are lower cases when it auto-populates
in the firewall policies.

It has to be all lower case on the firewall.

Additionally You may also please refer the documentation below on how CIE populates the group names in the Security Policies.

https://docs.paloaltonetworks.com/prisma/prisma-access/3-2/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/retrieve-user-id-information/retrieve-group-mapping-using-the-cloud-identity-engine#ida3d63c52-cc40-4553-af7d-f5f88bbdd95a

If your group info is auto-populates in the Firewall policies with all lowercases and no spaces and still it is not working I would recommend you to raise a support case to further to diagnose the exact causes why it's occurring.

topic Prisma Access with CIE in Prisma Access Discussions

Prisma Access with CIE

Re: Prisma Access with CIE