Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Prisma Access with CIE

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Prisma Access with CIE

L0 Member

Hi All,

 

Need your assistance. The problem is that test rule with user group doesn't have any hits. The users generating traffic are definitely part of the group.

Setup:

Prisma Access managed from On-prem Panorama.

CIE with AD sync. Users and groups are visible from CIE dashboard.

When policy rule configured I can choose from the groups list.

 

Unfortunately, there are no firewalls to verify if I can get user group membership from CIE.

 

I have concern regarding upper and lower case letters in the group name. *(DB article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sY3lCAE)

AD name: CN=WebAccess-Basic,OU=User,OU=myou,OU=ANOTHEROU,DC=ad,DC=MYDC,DC=org,DC=au

Policy rule name from the drop down list: cn=webaccess-basic,ou=user,ou=myou,ou=anotherou,dc=ad,dc=mydc,dc=org,dc=au

The only confusing thing is that I'm getting the drop down list from CIE, I can't believe it gives me the wrong format. And if so, then I'll need to make changes to each group I'm going to use through Group Mapping setting in Prisma device group, right?

I've attached some screenshots with configuration/settings for reference.

1 REPLY 1

L0 Member

@pavel.zemtsov wrote:

Hi All,

 

Need your assistance. The problem is that test rule with user group doesn't have any hits. The users generating traffic are definitely part of the group.

Setup:

Prisma Access managed from On-prem Panorama.

CIE with AD sync. Users and groups are visible from CIE dashboard.

When policy rule configured I can choose from the groups list.

 

Unfortunately, there are no firewalls to verify if I can get user group membership from CIE.

 

I have concern regarding upper and lower case letters in the group name. *(DB article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sY3lCAE)

AD name: CN=WebAccess-Basic,OU=User,OU=myou,OU=ANOTHEROU,DC=ad,DC=MYDC,DC=org,DC=au

Policy rule name from the drop down list: cn=webaccess-basic,ou=user,ou=myou,ou=anotherou,dc=ad,dc=mydc,dc=org,dc=au

The only confusing thing is that I'm getting the drop down list from CIE, I can't believe it gives me the wrong format. And if so, then I'll need to make changes to each group I'm going to use through Group Mapping setting in Prisma device group, right?

I've attached some screenshots with configuration/settings for reference.


@pavel.zemtsov 

You said the Test Rule with the user group doesn't have any hits and assuming that it doesn't have any spaces and all are lower cases when it auto-populates
in the firewall policies.

It has to be all lower case on the firewall.


Additionally You may also please refer the documentation below on how CIE populates the group names in the Security Policies.


https://docs.paloaltonetworks.com/prisma/prisma-access/3-2/prisma-access-panorama-admin/configure-us...


If your group info is auto-populates in the Firewall policies with all lowercases and no spaces and still it is not working I would recommend you to raise a support case to further to diagnose the exact causes why it's occurring.

  • 609 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!