Using Cloud IDentity Engine to enforce group-based policies in Azure AD

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using Cloud IDentity Engine to enforce group-based policies in Azure AD

L3 Networker

Hi All,

Question on retrieving user-group mappings only, using Cloud Identity Engine to enforce group-based policies.

 

So i have this setup at the moment:
Panorama managed FWs in Azure with Global protect (works)
The FWs use SAML currently for authenticating GP users against Azure AD (works)

Additionally, what I want to achieve is the following.
To setup group-based policies on the FW to allow for instance:

Source: Zone - GP_VPN
user group: GROUP_SALES can access Zone TRUST - 10.10.10.0/24 on https only

Source: Zone - GP_VPN
user group: GROUP_HR can access zone TRUST 10.20.20.0/24 on https only

 

Source: Zone - GP_VPN
user group: GROUP_Accounts can access zone TRUST 10.30.30.0/24 on https only


So I only want the FW to enforce Azure AD-Group based policies for users connecting via Globalprotect.

 

So from what I can tell, this is possible with Cloud Identity Engine.

 

questions:
will this work and not affect my current SAML config.
do i need to enable/configure user-id (not enabled atm anywhere)

 

so looking at this doc from PAN, it seems to do what I want to do.. but just need a second pair of eyes please.

 

https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-...

 

thanks in adv

3 REPLIES 3

Cyber Elite
Cyber Elite

you need to ensure the GP_VPN zone has user-id enabled, that ensures user-ids are mapped and logged etc

afterwards you can connect CIE, without causing impact, this will simply load all your available groups to the firewall

once that's done you can start adding groups to security rules

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L3 Networker

Awesome thanks..

L3 Networker

quick update..

CIE app activated, Azure config done, CIE can connect and i can see user groups/names etc within CIE App.. all good.

however stuck on the FWs..

i have panorama with managed FWs..

in the template group i configured CIE with the tenant and domain info (auto retrieved so tells me it connects ok) - changes committed.

In Panorama, if i go into a security rule on my device group policy, i am unable to pull the user details..

however If i change to the FW context and create a dummy rule, then i am able to see the users/groups pulled from CIE

 

so not sure why this is.

I have configured CIE profile only in panorama>device>User Identification> Cloud Identity Engine

 

i followed this doc. but stuck at step 8 😞

 

https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-...

 

any ideas?

thanks

 

  • 1485 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!