11-16-2023 05:11 PM
I just wanted to let more folks know about this KB article concerning Cloud Identity Engine (CIE) and group mapping on firewalls. Knowing about this issue documented in the KB ahead of time would have saved a lot of frustration for us. Its information that SHOULD be in the main documentation, but isn't.
"How to push Cloud Identity Engine (CIE) managed group-mapping to the Firewalls"
What Happened
We have Prisma Access. (This would also apply to GlobalProtect VPN and any use case that needs groups and group membership coming from CIE.) We have an Internal Gateway defined. The firewalls use a group sourced from CIE to gate who can connect to the Internal Gateway. The group existed, but the membership was not being updated. It had 58 members on the firewall. It has 149 members on CIE.
What You Need To Do (KB Article Summary)
If you have groups in your firewalls that come from Cloud Identity Engine (CIE), those groups MUST be added under the Security Policy somewhere for the firewall to properly pick them up and keep the memberships up to date.
Impact
If you don't do this, the firewall may or may not get the group and/or may not apply updates to the group membership.
Workaround / Fix:
After reading the KB article, I ended up defining a do-nothing, impossible to satisfy, rule at the bottom of my security policy that references the CIE groups I needed. Group mapping, specifically getting group membership updates, started working properly as soon as the firewall commit was completed.
Hope this is useful information for other folks!
