PANCast™ Episode 38: Cloud Identity Engine

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L4 Transporter
No ratings

 

Episode Transcript:

 

John: 

Hello PANCasters, welcome back to another episode. Today Angelo is back to talk to us about Cloud Identity Engine. Welcome back Angelo.
 

Angelo:Angelo Eisma is a Senior Technical Support Engineer at Palo Alto Networks. He has previously worked for a Security Operations Center and a Telco. As part of Palo Alto Networks TAC, he is an SME for Remote Access and ID Management and is highly enthusiastic about sharing his knowledge and experience with customers.Angelo Eisma is a Senior Technical Support Engineer at Palo Alto Networks. He has previously worked for a Security Operations Center and a Telco. As part of Palo Alto Networks TAC, he is an SME for Remote Access and ID Management and is highly enthusiastic about sharing his knowledge and experience with customers.

Thanks John and glad to be back.

 

John: 

So Angelo, what is Cloud Identity Engine?
 

What is Cloud Identity Engine?

 

Angelo:

So firstly Cloud Identity Engine is often shortened to CIE. CIE offers two main functions at the moment which are to do with knowing your users. Firstly, it does directory sync so it can sync your user and group information from either cloud directory services such as Microsoft Entra ID or your on premise directory data. This data can be used by Palo Alto Networks products for things like user enforcement. As an example you can collect group information from CIE for your firewalls and use that group information in your policies. So let’s say your organization does not allow access to online storage sites by default, but there is a business reason for a limited set of users to be able to access these sites. You can add a security policy on your firewall, based on a specific group to allow access to these sites and then you control access via groups, rather than by having to make changes on the firewall. Now this is not new to Palo Alto Networks and we did discussed this in a previous episode but what is different is that CIE makes it easy to get your user and group information from public cloud directories and it can be configured to talk to your directory, and then all your firewalls, Panorama, and Prisma Access can just point to CIE to get the data.

 

John: 

Sounds helpful Angelo, so what is the second function?
 

Angelo:

Along the same lines for knowing your users, CIE also offers Cloud Authentication Service or CAS for short. This is similar to the directory sync in that you can configure your SAML IdP on CAS and then configure various Palo Alto Networks products to use CAS as the authentication service. So instead of having to configure SAML authentication on each firewall, and on Prisma Access you configure it once on CAS and point your services to use CAS as the authentication. You can also configure multiple SAML providers in CAS to be used for different purposes. So if you have multiple SAML providers, CAS can support this.

 

John: 

Great so it sounds like this is helpful in easing where you have to configure both user and group information and also SAML authentication.
 

Angelo:

It does really help. And one last thing I want to mention is that CIE also now supports data redistribution. So it can also be used to redistribute data, such as user to ip mappings, or HIP reports, between your devices. Things like user to ip mapping are very important to be correct, up to date and also known by all devices that need to know it. CIE can be used to make sure this data is redistributed to where it needs to be known. This is similar to user and groups and authentication, while you can currently do this using a Palo Alto Networks firewalls and Panorama, having it configured in CIE and then just pointing your firewalls, Panorama and Prisma Access to CIE simplifies the process.

 

John: 

Great Info Angelo, so as a recap, what does CIE give us?
 

Angelo:

So the main thing is you can centralize the configuration and then Palo Alto Networks products can use CIE for authentication, user and group information and also certain data redistribution.

 

John: 

Really good info, just one last question, anything to be aware of when using CIE?
 

Angelo:

Really good question John. So the one thing that we recommend is to just check the supported features in CIE against the products, and the versions you use. As an example, the data redistribution services in CIE which is called user context, will only work with devices that are currently on PAN-OS 11.0 or higher. This is one of those things that really should be checked anyway when using different features on Palo Alto Networks products but thought I would note it just for this specific reason.

 

John: 

Thanks so much again Angelo, great info on CIE.
 

Angelo:

You’re welcome John, can’t wait to come back for another episode.
For our listeners please do not forget to check the transcript of this episode for some troubleshooting resources.

 

John: 

I’m sure you’ll be back soon Angelo! PANCasters, I hope you enjoyed today’s episode. Remember the transcript and additional information is available at live.paloaltonetworks.com. Until next time.
 
Rate this article:
Comments
L4 Transporter

Hi @ozheng 

 

Thank you for the great info. If we configure the CIE on the firewall can we use it for the security policy? Cause we create CIE on the Firewall we can see the users are populating but from the traffic logs we cannot see the source users and not hitting the rule.

L4 Transporter

Hello @KhaleelE ,
I think you need to review your configuration, something is probably missing in the zone.
Olivier

L4 Transporter

Hello @ozheng 

Thanks for your response. Here is the TAC response below:

 

As per the discussion, you wanted to restrict users by user based security policies. By configuring CIE we archived information about user and group.
To map a user to an IP address, the firewall still needs information; only then user based security policy will function.

 

 

So I am confused that using CIE only are we able to restrict users by user based security policy?

L4 Transporter

Hello @KhaleelE ,

As written by the colleague in TAC, the user-id can be broken down in 2 functions :

- user information (that can be done by CIE, Agentless or agents...)

- mapping on actual traffic (irrespective of the method chosen above)

Unless you did the necessary for the second point, you will only get the usernames.

You open the documentation, that should be among the first steps of configuration.

Olivier

  • 1763 Views
  • 4 comments
  • 1 Likes
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎03-13-2024 03:19 PM
Updated by: