Configure an IP Tag Cloud Connection
Table of Contents
Configure an IP Tag Cloud Connection
Learn how to configure the Cloud Identity Engine to collect IP-Tags for policy
enforcement.
IP tag cloud connection supports regions based in the United
States.
To configure the Cloud Identity Engine to collect IP address-to-tag (also known as
IP-tag) information for policy enforcement, configure a connection to your
cloud-based identity management system to synchronize the mappings. The identity
management system provides the IP-tag information to the edge service for
processing, which then provides the information to the firewalls for policy
enforcement.
If you want to collect IP address-to-tag (IP-tag) information from VM Series
firewalls, you must grant the required permissions for your cloud-based identity
management system.
- For Azure, grant thereadpermissions as described in the Azure Monitoring section in the VM Series documentation.
- For AWS, grant the Amazon Role Name (ARN)describeroles as described in the IAM Roles and Permissions for Panorama section as shown in the JSON example in the VM Series documentation. For more information on the ARN, refer to the AWS documentation.
If you use Strata Cloud Manager, you can view your
IP-tag information using the unified interface and use it to create your tag-based security policy.
For each region, you can synchronize up to 20,000 IP-tag mappings from a cloud
service in a monitoring configuration at one time. For instance, if you have
1,000 IP addresses, you will be able to synchronize them all if each IP address
has equal to or fewer than 20 tags. After performing the initial
synchronization, you can continue to add more IP-tag mappings in subsequent
synchronizations, with each synchronization allowing up to an additional 20,000
mappings. Only the new or modified mappings will be synchronized each time.
- If you have not already done so, activate User Context and configure a segment to receive the mapping information.
- Select .
- Select theCredential Configurationtab if it is not already selected.
- Enter a unique and descriptiveNamefor the configuration.
- (AWS only) Configure your AWS connection.To open your AWS administrator portal in a new window so you can create or edit any necessary ARNs, clickOpen CFTand log in with your AWS credentials.
- Enter yourAccess Key ID.To learn how to obtain your access key ID and secret access key, refer to the AWS documentation.
- Enter yourSecret Access Key.
- Reenter your secret access key toConfirm Secret Access Key.
- (Optional) Enter aRole ARN NameandRole ARN Value.To configure additional Role ARNs, clickAdd Role ARNfor each Role ARN you want to include.If you specify an ARN, you cannot also specify a VPC.
- (Azure only) Configure your Azure connection.
- Enter yourClient ID.To learn how to obtain the client ID and client secret, refer to the Azure documentation.
- Enter yourClient Secret.
- Enter yourTenant ID.To learn how to obtain the tenant ID and subscription ID, refer to the Azure documentation.
- Enter yourSubscription ID.
- Verify the connection by clicking theTest Connectionbutton.For AWS configurations, you can optionally select theRegionbefore testing the connection. By default, the Cloud Identity Engine selects theUS Westregion; if this region does not allow API requests, select a region that can allow API requests.Even if the connection test is not successful, you can still submit your configuration; until the connectivity issues are resolved, the configuration status isNot connected. You must resolve the connection issues for the configuration to successfully retrieve the IP-tag mappings.
- Submitthe configuration.
- To configure a connection for monitoring purposes (such as audits) or to share the IP-tag mapping information using a segment, select theMonitor & Statustab.There are three states for the connection:
- Connected—The Cloud Identity Engine has successfully established a connection.
- Partially connected—The Cloud Identity Engine could successfully establish a connection to some aspects of the configuration, such as regions or VPCs for AWS, but not all of them.
- Not connected—The Cloud Identity Engine could not successfully establish a connection with the current configuration.
- Set Up a New Monitor Configurationand select the type of monitor configuration.
- Enter a unique and descriptiveNamefor the configuration.
- Select theCredential Configurationthat you configured.
- (AWS only) Optionally select theRole ARNyou want to use.
- Select if you want to configure the connection forAll Regions,All VPCs(AWS only), or both.To select a specific region or virtual private cloud (VPC), deselect theAll RegionsorAll VPCscheckbox and allow the list of regions or VPCs to populate, then select the region or VPC you want to include. To select a specific VPC, you must select a region first.
- Define thePolling Interval (in seconds)to specify how frequently the Cloud Identity Engine checks for new data.The default is 60 seconds and the range is 60–1800 seconds.
- Select the segment you configured in Step 1.Because you cannot select another segment after you submit the configuration, ensure you select the correct segment before submitting the configuration. If you need to change the segment after you submit the configuration, you must create a new configuration and select the segment you want to use.
- Submitthe configuration.
- (Strata Cloud Manager only) If you are using Strata Cloud Manager, view the tags that the Cloud Identity Engine shares with Strata Cloud Manager by selecting an address group then select theTags from CIEtab when you add match criteria.
