01-18-2024 02:15 AM
Hi All,
Question on retrieving user-group mappings only, using Cloud Identity Engine to enforce group-based policies.
So i have this setup at the moment:
Panorama managed FWs in Azure with Global protect (works)
The FWs use SAML currently for authenticating GP users against Azure AD (works)
Additionally, what I want to achieve is the following.
To setup group-based policies on the FW to allow for instance:
Source: Zone - GP_VPN
user group: GROUP_SALES can access Zone TRUST - 10.10.10.0/24 on https only
Source: Zone - GP_VPN
user group: GROUP_HR can access zone TRUST 10.20.20.0/24 on https only
Source: Zone - GP_VPN
user group: GROUP_Accounts can access zone TRUST 10.30.30.0/24 on https only
So I only want the FW to enforce Azure AD-Group based policies for users connecting via Globalprotect.
So from what I can tell, this is possible with Cloud Identity Engine.
questions:
will this work and not affect my current SAML config.
do i need to enable/configure user-id (not enabled atm anywhere)
so looking at this doc from PAN, it seems to do what I want to do.. but just need a second pair of eyes please.
thanks in adv
01-31-2024 12:44 AM
you need to ensure the GP_VPN zone has user-id enabled, that ensures user-ids are mapped and logged etc
afterwards you can connect CIE, without causing impact, this will simply load all your available groups to the firewall
once that's done you can start adding groups to security rules
03-01-2024 03:06 AM
quick update..
CIE app activated, Azure config done, CIE can connect and i can see user groups/names etc within CIE App.. all good.
however stuck on the FWs..
i have panorama with managed FWs..
in the template group i configured CIE with the tenant and domain info (auto retrieved so tells me it connects ok) - changes committed.
In Panorama, if i go into a security rule on my device group policy, i am unable to pull the user details..
however If i change to the FW context and create a dummy rule, then i am able to see the users/groups pulled from CIE
so not sure why this is.
I have configured CIE profile only in panorama>device>User Identification> Cloud Identity Engine
i followed this doc. but stuck at step 8 😞
any ideas?
thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
