09-27-2023 11:55 AM
Hi @BFC ,
I wish the PANW CIE documentation was more clear. From my understanding, the CIE does NOT map users to IP addresses. It maps users to groups.
Look at the last command in this doc -> https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-.... "On the firewall, use the show user ip-user-mapping all command to verify that the mapping information is available to the firewall." My guess is that you have no user-to-IP mappings. What is the ouput of that command on your NGFW?
Notice the 2nd to the last paragraph on this doc -> https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/get-started-w.... “On the firewall, configure an Authentication policy that requires users to log in using Authentication Portal to access resources such as the internet.” It is this Authentication Policy (not to be confused with the CIE Authentication Profile) that actually captures the user IP addresses when they successfully authenticate. The web page used for logins is called the Authentication Portal or Captive Portal. Without this piece, AAD or CIE has no idea what the user's IP address is.
That's a huge part of the solution that is rarely mentioned! Authentication Portal takes quite a few steps to configure. Plus, your users now have an extra login. They good news is that once you configure User-ID for user-to-IP mappings, you can do some cool stuff. You also are not limited to the Authentication Portal. You can use any method in the diagram here -> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/user-id-overview as long as the username format matches.
Are your users logging into the network already, such as WiFi 802.1x? You can forward that info to the NGFW using syslog. Do your users already have GlobalProtect? You can set it up with Internal Host Detection.
Thanks,
Tom
