Cloud Identity Engine (CIE) and group mapping on firewalls - Groups and/or group membership updates not working as expected

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cloud Identity Engine (CIE) and group mapping on firewalls - Groups and/or group membership updates not working as expected

L3 Networker

I just wanted to let more folks know about this KB article concerning Cloud Identity Engine (CIE) and group mapping on firewalls. Knowing about this issue documented in the KB ahead of time would have saved a lot of frustration for us. Its information that SHOULD be in the main documentation, but isn't.

 

"How to push Cloud Identity Engine (CIE) managed group-mapping to the Firewalls"

 

What Happened

We have Prisma Access. (This would also apply to GlobalProtect VPN and any use case that needs groups and group membership coming from CIE.) We have an Internal Gateway defined. The firewalls use a group sourced from CIE to gate who can connect to the Internal Gateway. The group existed, but the membership was not being updated. It had 58 members on the firewall. It has 149 members on CIE. 

 

What You Need To Do (KB Article Summary)

If you have groups in your firewalls that come from Cloud Identity Engine (CIE), those groups MUST be added under the Security Policy somewhere for the firewall to properly pick them up and keep the memberships up to date.

 

Impact

If you don't do this, the firewall may or may not get the group and/or may not apply updates to the group membership. 

 

Workaround / Fix:

After reading the KB article, I ended up defining a do-nothing, impossible to satisfy, rule at the bottom of my security policy that references the CIE groups I needed. Group mapping, specifically getting group membership updates, started working properly as soon as the firewall commit was completed.

 

Hope this is useful information for other folks!

NGFW Cloud Identity 

0 REPLIES 0
  • 1597 Views
  • 0 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!