Episode Transcript:
John:
Hello PANCasters, welcome back to another episode. Today Angelo is back to talk to us about Cloud Identity Engine. Welcome back Angelo.
Angelo:Angelo Eisma is a Senior Technical Support Engineer at Palo Alto Networks. He has previously worked for a Security Operations Center and a Telco. As part of Palo Alto Networks TAC, he is an SME for Remote Access and ID Management and is highly enthusiastic about sharing his knowledge and experience with customers.
Thanks John and glad to be back.
John:
So Angelo, what is Cloud Identity Engine?
What is Cloud Identity Engine?
Angelo:
So firstly Cloud Identity Engine is often shortened to CIE. CIE offers two main functions at the moment which are to do with knowing your users. Firstly, it does directory sync so it can sync your user and group information from either cloud directory services such as Microsoft Entra ID or your on premise directory data. This data can be used by Palo Alto Networks products for things like user enforcement. As an example you can collect group information from CIE for your firewalls and use that group information in your policies. So let’s say your organization does not allow access to online storage sites by default, but there is a business reason for a limited set of users to be able to access these sites. You can add a security policy on your firewall, based on a specific group to allow access to these sites and then you control access via groups, rather than by having to make changes on the firewall. Now this is not new to Palo Alto Networks and we did discussed this in a previous episode but what is different is that CIE makes it easy to get your user and group information from public cloud directories and it can be configured to talk to your directory, and then all your firewalls, Panorama, and Prisma Access can just point to CIE to get the data.
John:
Sounds helpful Angelo, so what is the second function?
Angelo:
Along the same lines for knowing your users, CIE also offers Cloud Authentication Service or CAS for short. This is similar to the directory sync in that you can configure your SAML IdP on CAS and then configure various Palo Alto Networks products to use CAS as the authentication service. So instead of having to configure SAML authentication on each firewall, and on Prisma Access you configure it once on CAS and point your services to use CAS as the authentication. You can also configure multiple SAML providers in CAS to be used for different purposes. So if you have multiple SAML providers, CAS can support this.
John:
Great so it sounds like this is helpful in easing where you have to configure both user and group information and also SAML authentication.
Angelo:
It does really help. And one last thing I want to mention is that CIE also now supports data redistribution. So it can also be used to redistribute data, such as user to ip mappings, or HIP reports, between your devices. Things like user to ip mapping are very important to be correct, up to date and also known by all devices that need to know it. CIE can be used to make sure this data is redistributed to where it needs to be known. This is similar to user and groups and authentication, while you can currently do this using a Palo Alto Networks firewalls and Panorama, having it configured in CIE and then just pointing your firewalls, Panorama and Prisma Access to CIE simplifies the process.
John:
Great Info Angelo, so as a recap, what does CIE give us?
Angelo:
So the main thing is you can centralize the configuration and then Palo Alto Networks products can use CIE for authentication, user and group information and also certain data redistribution.
John:
Really good info, just one last question, anything to be aware of when using CIE?
Angelo:
Really good question John. So the one thing that we recommend is to just check the supported features in CIE against the products, and the versions you use. As an example, the data redistribution services in CIE which is called user context, will only work with devices that are currently on PAN-OS 11.0 or higher. This is one of those things that really should be checked anyway when using different features on Palo Alto Networks products but thought I would note it just for this specific reason.
John:
Thanks so much again Angelo, great info on CIE.
Angelo:
You’re welcome John, can’t wait to come back for another episode.
For our listeners please do not forget to check the transcript of this episode for some troubleshooting resources.
John:
I’m sure you’ll be back soon Angelo! PANCasters, I hope you enjoyed today’s episode. Remember the transcript and additional information is available at live.paloaltonetworks.com. Until next time.