cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who rated this post

Cloud Identity Engine (CIE) and group mapping on firewalls - Groups and/or group membership updates not working as expected

L3 Networker

I just wanted to let more folks know about this KB article concerning Cloud Identity Engine (CIE) and group mapping on firewalls. Knowing about this issue documented in the KB ahead of time would have saved a lot of frustration for us. Its information that SHOULD be in the main documentation, but isn't.

 

"How to push Cloud Identity Engine (CIE) managed group-mapping to the Firewalls"

 

What Happened

We have Prisma Access. (This would also apply to GlobalProtect VPN and any use case that needs groups and group membership coming from CIE.) We have an Internal Gateway defined. The firewalls use a group sourced from CIE to gate who can connect to the Internal Gateway. The group existed, but the membership was not being updated. It had 58 members on the firewall. It has 149 members on CIE. 

 

What You Need To Do (KB Article Summary)

If you have groups in your firewalls that come from Cloud Identity Engine (CIE), those groups MUST be added under the Security Policy somewhere for the firewall to properly pick them up and keep the memberships up to date.

 

Impact

If you don't do this, the firewall may or may not get the group and/or may not apply updates to the group membership. 

 

Workaround / Fix:

After reading the KB article, I ended up defining a do-nothing, impossible to satisfy, rule at the bottom of my security policy that references the CIE groups I needed. Group mapping, specifically getting group membership updates, started working properly as soon as the firewall commit was completed.

 

Hope this is useful information for other folks!

NGFW Cloud Identity 

Who rated this post