Configure an IP Tag Cloud Connection
Table of Contents
Expand all | Collapse all
-
- Cloud Identity Engine Attributes
- Collect Custom Attributes with the Cloud Identity Engine
- View Directory Data
- Cloud Identity Engine User Context
- Create a Cloud Dynamic User Group
- Configure Third-Party Device-ID
- Configure an IP Tag Cloud Connection
- Configure Dynamic Privilege Access in the Cloud Identity Engine
-
-
- Configure Azure as an IdP in the Cloud Identity Engine
- Configure Okta as an IdP in the Cloud Identity Engine
- Configure PingOne as an IdP in the Cloud Identity Engine
- Configure PingFederate as an IdP in the Cloud Identity Engine
- Configure Google as an IdP in the Cloud Identity Engine
- Configure a SAML 2.0-Compliant IdP in the Cloud Identity Engine
- Configure a Client Certificate
- Set Up an Authentication Profile
- Configure Cloud Identity Engine Authentication on the Firewall or Panorama
- Configure the Cloud Identity Engine as a Mapping Source on the Firewall or Panorama
- Configure Dynamic Privilege Access in the Cloud Identity Engine
-
- Get Help
Configure an IP Tag Cloud Connection
Learn how to configure the Cloud Identity Engine to collect IP-Tags for policy
enforcement.
To configure the Cloud Identity Engine to collect IP address-to-tag (also known as
IP-tag) information for policy enforcement, configure a connection to your cloud
service provider to synchronize the mappings. The identity
management system provides the IP-tag information to the edge service for
processing, which then provides the information to the firewalls for policy
enforcement.
To collect IP address-to-tag (IP-tag) information from your cloud service provider,
you must grant the Cloud Identity Engine the required permissions.
- Azure— Grant thereadpermissions as described in the Azure Monitoring section in the VM Series documentation to the service account.
- Amazon Web Services (AWS)— Grant the service account the Amazon Role Name (ARN) roles as described in the IAM Roles and Permissions for Panorama section as shown in the JSON example in the VM Series documentation. For more information on the ARN, refer to the AWS documentation.
- Google Cloud Platform (GCP)— Grant the IAM roles as described in the VM Series documentation to the service account.
If you use Strata Cloud Manager, you can view your
IP-tag information using the unified interface and use it to create your tag-based security policy.
For each region, you can synchronize up to 20,000 IP-tag mappings from a cloud
service in a monitoring configuration at one time. For instance, if you have
1,000 IP addresses, you will be able to synchronize them all if each IP address
has equal to or fewer than 20 tags. After performing the initial
synchronization, you can continue to add more IP-tag mappings in subsequent
synchronizations, with each synchronization allowing up to an additional 20,000
mappings. The Cloud Identity Engine sync only the new or modified mappings each
time.
- If you have not already done so, activate User Context and configure a segment to receive the mapping information.
- Select.User ContextIP-Tag Collection
- Select theCredential Configurationtab (if it does not already display).
- ToSet Up a New Credential Configuration, select the cloud service provider you want to use.
- AWS—Connect to an Amazon Web Services (AWS) instance.
- Azure—Connect to a Microsoft Azure Active Directory instance.
- Google Cloud Platform—Connect to a Google Cloud Platform (GCP) instance.
- Enter a unique and descriptiveNamefor the configuration.
- (AWS only) Configure your AWS connection.To open your AWS administrator portal in a new window so you can create or edit any necessary ARNs, clickOpen CFTand log in with your AWS credentials.
- Enter yourAccess Key ID.To learn how to obtain your access key ID and secret access key, refer to the AWS documentation.
- Enter yourSecret Access Key.
- Reenter your secret access key toConfirm Secret Access Key.
- (Optional) Enter aRole ARN NameandRole ARN Value.To configure additional Role ARNs, clickAdd Role ARNfor each Role ARN you want to include.If you specify an ARN, you can't also specify a VPC.
- (Azure only) Configure your Azure connection.
- Enter yourClient ID.To learn how to obtain the client ID and client secret, refer to the Azure documentation.
- Enter yourClient Secret.
- Enter yourTenant ID.To learn how to obtain the tenant ID and subscription ID, refer to the Azure documentation.
- Enter yourSubscription ID.
- (Google Cloud Platform only) Configure your GCP connection.
- Create credentials for a service account in your Google Cloud console, then download and save the JSON file in a safe location.
- ClickBrowse filesand clickOpento navigate to the JSON file or drag and drop the GCP credential JSON file.
- Verify the connection by clicking theTest Connectionbutton.For AWS configurations, you can optionally select theRegionbefore testing the connection. By default, the Cloud Identity Engine selects theUS Westregion; if this region does not allow API requests, select a region that can allow API requests.Even if the connection test isn't successful, you can still submit your configuration; until you resolve the connectivity issues, the configuration status isNot connected. You must resolve the connection issues for the configuration to successfully retrieve the IP address-to-tag mappings.
- Submitthe configuration.
- (Strata Cloud Manager only) If you're using Strata Cloud Manager, view the tags that the Cloud Identity Engine shares with Strata Cloud Manager by selecting an address group then select theTags from CIEtab when you add match criteria.
- To configure a connection to your cloud service provider for monitoring purposes (such as audits) or to share the IP address-to-tag mapping information using a segment, select theMonitor & Statustab.There are four states for the connection to the cloud service provider:
- Connected—The Cloud Identity Engine has successfully established a connection.
- Partially connected—The Cloud Identity Engine could successfully establish a connection to some aspects of the configuration, such as regions or VPCs for AWS, but not all of them.
- Connection pending—The Cloud Identity Engine has successfully established a connection but has not completed the sync for the IP tag mappings from one or more regions.For more information on the connection status, selectClick to see details.
- Not connected—The Cloud Identity Engine couldn’t successfully establish a connection with the current configuration.
- Set Up a New Monitor Configurationand select the type of monitor configuration that matches the credential connection you configured in step 4.
- Enter a unique and descriptiveNamefor the configuration.
- Select theCredential Configurationthat you configured in step 4.
- (AWS only) Optionally select theRole ARNyou want to use.
- Select if you want to configure the connection forAll Regions,All VPCs(AWS only) orAll Project IDs(GCP only).To select a specific region or virtual private cloud (VPC), deselect theAll RegionsorAll VPCscheck box and allow the list of regions or VPCs to populate, then select the region or VPC you want to include. To select a specific VPC, you must first select one or more regions or select all regions.
- (Azure only) Select whether you want toFetch Service Tags.If you select this option, the Cloud Identity Engine syncs the service tags from Azure.
- Define thePolling Interval (in seconds)to specify how frequently the Cloud Identity Engine checks for new data.The default is 60 seconds and the range is 60–1800 seconds.
- If you want to share the mappings, select the segment you configured in step 1. Otherwise, if you want to create this configuration only for monitoring without sending mappings to any firewalls, selectNone.Because you can't select another segment after you submit the configuration, ensure you select the correct segment before submitting the configuration. If you need to change the segment after you submit the configuration, you must create a new configuration and select the segment you want to use.
- Submitthe configuration.
- Search and monitor your configurations in the Cloud Identity Engine.
- Select theMonitor & Statustab.
- Use the filters to highlight the information you want to find.
- Name—Enter the name of a configuration to filter results to this configuration.
- Vendor—Select the vendor type to filter the results to this vendor type.
- Status— Select the status type (such asConnectedorPartially Connected) to filter the results to this status type.
- Segment— Select theSegmentname to filter the results to this segment.
- Associated Credential— Select the name of theAssociated Credentialconfiguration to filter the results to this configuration.
- To remove the filter, clickReset.
- View more details for a specific configuration.
- Select the name of the configuration that you want to view from theIP-Tag Collectionpage.
- On theMonitor & Statuspage, review theConnection Detailsto view information such as the connection status.
- View the IP address-to-tag mapping information.Options vary depending on your configuration type.
- (AWS only) On theVPCtab,Search by VPC IDto view information for a specific VPC or select the number in theIPscolumn to view the IP addresses associated with theVPC IDin that row.
- Select theTag To IPtab andSearch by Tagto locate IP address information for a specific tag.You can view the results for an exact or partial match for your query. You can optionally limit the search to a specific region or selectAll Regions.
- Select the number in theIPscolumn to view the IP addresses that the Cloud Identity Engine has collected for the selectedTag.
- Search by IP Addressthen close the window or clickCancelafter reviewing the IP addresses.
- Select theIP To Tagtab toSearch by IP Address.For an AWS-based configuration, you can also search by VPC ID.
- Click the number in theTagscolumn to view the tags associated with theIP Addressof that row.
- Search by Tagthen close the window or clickCancelafter reviewing the tags.
- (Optional) Edit or remove configurations as needed.
- ClickEditto change the configuration andSubmityour changes or clickRemoveand clickYesto delete this configuration.Removing a configuration also removes all IP tags from associated devices.
- You can also edit or delete the configuration from theIP-Tag Collectionpage.