https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-38-cloud-identity-engine/ta-p/580035 <DIV class="lia-message-template-content-zone"> <P><div class="video-embed-center video-embed"><iframe class="embedly-embed" src="https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2F3TxdJeIufZ0%3Ffeature%3Doembed&amp;display_name=YouTube&amp;url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D3TxdJeIufZ0&amp;image=https%3A%2F%2Fi.ytimg.com%2Fvi%2F3TxdJeIufZ0%2Fhqdefault.jpg&amp;type=text%2Fhtml&amp;schema=youtube" width="600" height="337" scrolling="no" title="PANCast™ Episode 38: Cloud Identity Engine" frameborder="0" allow="autoplay; fullscreen; encrypted-media; picture-in-picture;" allowfullscreen="true"></iframe></div></P> <P>&nbsp;</P> <P><STRONG><I><EM>Episode Transcript:</EM></I></STRONG></P> <P>&nbsp;</P> <P><STRONG><I>John:</I>&nbsp;</STRONG></P> <DIV> <DIV> <DIV> <DIV><SPAN>Hello PANCasters, welcome back to another episode. Today Angelo is back to talk to us about Cloud Identity Engine. Welcome back Angelo.</SPAN></DIV> </DIV> </DIV> <DIV>&nbsp;</DIV> </DIV> <P><STRONG><EM><FONT color="#FF6600"><I>Angelo:<span class="lia-inline-image-display-wrapper lia-image-align-right" image-alt="Angelo Eisma is a Senior Technical Support Engineer at Palo Alto Networks. He has previously worked for a Security Operations Center and a Telco. As part of Palo Alto Networks TAC, he is an SME for Remote Access and ID Management and is highly enthusiastic about sharing his knowledge and experience with customers." style="width: 314px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/58287iCFAEAF4E7CE9DFFA/image-dimensions/314x311?v=v2" width="314" height="311" role="button" title="PANCast Ep_Angelo-Eisma_palo-alto-networks.png" alt="Angelo Eisma is a Senior Technical Support Engineer at Palo Alto Networks. He has previously worked for a Security Operations Center and a Telco. As part of Palo Alto Networks TAC, he is an SME for Remote Access and ID Management and is highly enthusiastic about sharing his knowledge and experience with customers." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Angelo Eisma is a Senior Technical Support Engineer at Palo Alto Networks. He has previously worked for a Security Operations Center and a Telco. As part of Palo Alto Networks TAC, he is an SME for Remote Access and ID Management and is highly enthusiastic about sharing his knowledge and experience with customers.</span></span></I></FONT></EM></STRONG></P> <DIV> <DIV><SPAN>Thanks John and glad to be back.</SPAN></DIV> </DIV> <P>&nbsp;</P> <P><STRONG><I>John:</I>&nbsp;</STRONG></P> <DIV> <DIV> <DIV> <DIV><SPAN>So Angelo, what is Cloud Identity Engine?</SPAN></DIV> </DIV> </DIV> <DIV>&nbsp;</DIV> <DIV> <H2 id="toc-hId-1736998815"><STRONG><FONT color="#FF6600">What is Cloud Identity Engine?</FONT></STRONG></H2> </DIV> <DIV>&nbsp;</DIV> </DIV> <P><STRONG><EM><FONT color="#FF6600"><I>Angelo:</I></FONT></EM></STRONG></P> <DIV> <DIV><SPAN>So firstly Cloud Identity Engine is often shortened to CIE. CIE offers two main functions at the moment which are to do with knowing your users. Firstly, it does directory sync so it can sync your user and group information from either cloud directory services such as Microsoft Entra ID or your on premise directory data. This data can be used by Palo Alto Networks products for things like user enforcement. As an example you can collect group information from CIE for your firewalls and use that group information in your policies. So let’s say your organization does not allow access to online storage sites by default, but there is a business reason for a limited set of users to be able to access these sites. You can add a security policy on your firewall, based on a specific group to allow access to these sites and then you control access via groups, rather than by having to make changes on the firewall. Now this is not new to Palo Alto Networks and we did discussed this in a previous episode but what is different is that CIE makes it easy to get your user and group information from public cloud directories and it can be configured to talk to your directory, and then all your firewalls, Panorama, and Prisma Access can just point to CIE to get the data.</SPAN></DIV> </DIV> <P>&nbsp;</P> <P><STRONG><I>John:</I>&nbsp;</STRONG></P> <DIV> <DIV> <DIV> <DIV><SPAN>Sounds helpful Angelo, so what is the second function?</SPAN></DIV> </DIV> </DIV> <DIV>&nbsp;</DIV> </DIV> <P><STRONG><EM><FONT color="#FF6600"><I>Angelo:</I></FONT></EM></STRONG></P> <DIV> <DIV><SPAN>Along the same lines for knowing your users, CIE also offers Cloud Authentication Service or CAS for short. This is similar to the directory sync in that you can configure your SAML IdP on CAS and then configure various Palo Alto Networks products to use CAS as the authentication service. So instead of having to configure SAML authentication on each firewall, and on Prisma Access you configure it once on CAS and point your services to use CAS as the authentication. You can also configure multiple SAML providers in CAS to be used for different purposes. So if you have multiple SAML providers, CAS can support this.</SPAN></DIV> </DIV> <P>&nbsp;</P> <P><STRONG><I>John:</I>&nbsp;</STRONG></P> <DIV> <DIV> <DIV> <DIV><SPAN>Great so it sounds like this is helpful in easing where you have to configure both user and group information and also SAML authentication. </SPAN></DIV> </DIV> </DIV> <DIV>&nbsp;</DIV> </DIV> <P><STRONG><EM><FONT color="#FF6600"><I>Angelo:</I></FONT></EM></STRONG></P> <DIV> <DIV><SPAN>It does really help. And one last thing I want to mention is that CIE also now supports data redistribution. So it can also be used to redistribute data, such as user to ip mappings, or HIP reports, between your devices. Things like user to ip mapping are very important to be correct, up to date and also known by all devices that need to know it. CIE can be used to make sure this data is redistributed to where it needs to be known. This is similar to user and groups and authentication, while you can currently do this using a Palo Alto Networks firewalls and Panorama, having it configured in CIE and then just pointing your firewalls, Panorama and Prisma Access to CIE simplifies the process.</SPAN></DIV> </DIV> <P>&nbsp;</P> <P><STRONG><I>John:</I>&nbsp;</STRONG></P> <DIV> <DIV> <DIV><SPAN>Great Info Angelo, so as a recap, what does CIE give us?</SPAN></DIV> </DIV> <DIV>&nbsp;</DIV> </DIV> <P><STRONG><EM><FONT color="#FF6600"><I>Angelo:</I></FONT></EM></STRONG></P> <DIV> <DIV><SPAN>So the main thing is you can centralize the configuration and then Palo Alto Networks products can use CIE for authentication, user and group information and also certain data redistribution.</SPAN></DIV> </DIV> <P>&nbsp;</P> <P><STRONG><I>John:</I>&nbsp;</STRONG></P> <DIV> <DIV> <DIV> <DIV><SPAN>Really good info, just one last question, anything to be aware of when using CIE?</SPAN></DIV> </DIV> </DIV> <DIV>&nbsp;</DIV> </DIV> <P><STRONG><EM><FONT color="#FF6600"><I>Angelo:</I></FONT></EM></STRONG></P> <DIV> <DIV><SPAN>Really good question John. So the one thing that we recommend is to just check the supported features in CIE against the products, and the versions you use. As an example, the data redistribution services in CIE which is called user context, will only work with devices that are currently on PAN-OS 11.0 or higher. This is one of those things that really should be checked anyway when using different features on Palo Alto Networks products but thought I would note it just for this specific reason.</SPAN></DIV> </DIV> <P>&nbsp;</P> <P><STRONG><I>John:</I>&nbsp;</STRONG></P> <DIV> <DIV> <DIV> <DIV><SPAN>Thanks so much again Angelo, great info on CIE.</SPAN></DIV> </DIV> </DIV> <DIV>&nbsp;</DIV> </DIV> <P><STRONG><EM><FONT color="#FF6600"><I>Angelo:</I></FONT></EM></STRONG></P> <DIV> <DIV><SPAN>You’re welcome John, can’t wait to come back for another episode.</SPAN></DIV> <DIV><SPAN>For our listeners please do not forget to check the transcript of this episode for some troubleshooting resources.</SPAN></DIV> </DIV> <P>&nbsp;</P> <P><STRONG><I>John:</I>&nbsp;</STRONG></P> <DIV> <DIV> <DIV> <DIV><SPAN>I’m sure you’ll be back soon Angelo! PANCasters, I hope you enjoyed today’s episode. Remember the transcript and additional information is available at live.paloaltonetworks.com. Until next time.</SPAN></DIV> <DIV>&nbsp;</DIV> <DIV> <P><STRONG>Related Content:</STRONG></P> <UL> <LI><A title="Cloud Identity Engine Troubleshooting Checklist" href="https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/troubleshoot-the-cloud-identity-engine/cloud-identity-engine-troubleshooting-checklist" target="_blank" rel="nofollow noopener noreferrer">Cloud Identity Engine Troubleshooting Checklist</A></LI> </UL> <P><LI-PRODUCT title="Cloud Identity" id="Cloud_Identity"></LI-PRODUCT>&nbsp;</P> </DIV> </DIV> <I></I></DIV> </DIV> </DIV> Wed, 13 Mar 2024 22:19:08 GMT ozheng 2024-03-13T22:19:08Z https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-38-cloud-identity-engine/ta-p/580035 <P>This Episode introducing the Cloud Identity Engine and its benefits.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Title_PANCast Ep 38_palo-alto-networks.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/58288i925E7629FD09C8CE/image-size/large?v=v2&amp;px=999" role="button" title="Title_PANCast Ep 38_palo-alto-networks.jpg" alt="Title_PANCast Ep 38_palo-alto-networks.jpg" /></span></P> Wed, 13 Mar 2024 22:19:08 GMT https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-38-cloud-identity-engine/ta-p/580035 ozheng 2024-03-13T22:19:08Z https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-38-cloud-identity-engine/tac-p/588341#M100 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/109098">@ozheng</a>&nbsp;</P><P>&nbsp;</P><P>Thank you for the great info. If we configure the CIE on the firewall can we use it for the security policy? Cause we create CIE on the Firewall we can see the users are populating but from the traffic logs we cannot see the source users and not hitting the rule.</P> Thu, 30 May 2024 06:22:45 GMT https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-38-cloud-identity-engine/tac-p/588341#M100 KhaleelE 2024-05-30T06:22:45Z https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-38-cloud-identity-engine/tac-p/588444#M101 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/289014">@KhaleelE</a>&nbsp;,<BR />I think you need to review your configuration, something is probably missing in the zone.<BR />Olivier</P> Fri, 31 May 2024 02:42:09 GMT https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-38-cloud-identity-engine/tac-p/588444#M101 ozheng 2024-05-31T02:42:09Z https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-38-cloud-identity-engine/tac-p/588592#M102 <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/109098">@ozheng</a>&nbsp;</P><P>Thanks for your response. Here is the TAC response below:</P><P>&nbsp;</P><P><SPAN>As per the discussion, you wanted to restrict users by user based security policies. By configuring CIE we archived information about user and group.<BR />To map a user to an IP address, the firewall still needs information; only then user based security policy will function.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>So I am confused that using CIE only are we able to restrict users by user based security policy?</SPAN></P> Mon, 03 Jun 2024 12:52:41 GMT https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-38-cloud-identity-engine/tac-p/588592#M102 KhaleelE 2024-06-03T12:52:41Z https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-38-cloud-identity-engine/tac-p/589029#M103 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/289014">@KhaleelE</a>&nbsp;,</P> <P>As written by the colleague in TAC, the user-id can be broken down in 2 functions :</P> <P>- user information (that can be done by CIE, Agentless or agents...)</P> <P>- mapping on actual traffic (irrespective of the method chosen above)</P> <P>Unless you did the necessary for the second point, you will only get the usernames.</P> <P>You open the documentation, that should be among the first steps of configuration.</P> <P>Olivier</P> Fri, 07 Jun 2024 02:50:58 GMT https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-38-cloud-identity-engine/tac-p/589029#M103 ozheng 2024-06-07T02:50:58Z