If there is a possibility of compromise for user credentials in your network, attackers can gain access to your network resources because the firewall can’t detect that the account has been compromised. The Cloud Identity Engine (CIE) Security Signal Framework (SSF) Receiver enables you to receive risk signals from third-party identity providers such as Okta and use these signals in risk-based security rules on your next-generation firewalls and Prisma® Access. By configuring the SSF Receiver, you can detect events such as session revocation or credential changes, and then automatically take security actions like terminating sessions or enforcing multi-factor authentication.

When you configure SSF Okta Receiver as a Risk Connection, CIE automatically receives risk signals that you implement into your Conditional Dynamic User Groups (CDUGs). These groups can then be used in firewall security rules to implement adaptive access controls. For example, when Okta detects that a user's session has been revoked, you can automatically terminate their active network sessions or require additional authentication.

You can monitor stream health and activity using the Cloud Identity Engine, where you can view the status of connections, check event logs, and troubleshoot any issues that might arise. The Cloud Identity Engine provides clear error messages and remediation steps when problems occur with SSF streams, ensuring you can quickly address any connectivity issues. As your security needs evolve, you can modify or delete streams; the system warns you about changes with potential impacts to existing security policy rules.

The CIE SSF Receiver feature strengthens your security posture by adding real-time identity risk context to your security rules, enabling you to automatically respond to potential account compromises before attackers can exploit them. This integration between your identity providers and network security controls creates a more comprehensive and responsive security environment that adapts to changing risk conditions.

Tag-based security policy rules allow you to create language-based elastic rules by using Dynamic Address Groups (DAGs), which help enable you to scale the number of firewalls in your network up or down to easily accommodate changing workload needs. However, in cloud environments where both workloads and firewalls frequently auto-scale, managing numerous tag-based security policy rules can typically require manual configuration for more recently deployed firewalls so that those firewalls can receive the necessary tag information.

The IP-tag collection and redistribution capabilities of Strata Cloud Manager (SCM) can help alleviate this burden by automating tag collection using the Cloud Identity Engine and providing the tag information to SCM based on the hierarchical structure. SCM also shares previously entered credential information for other Palo Alto Networks services with the Cloud Identity Engine, allowing you to simplify credential management, avoid repetitive configuration activities, and reduce the possibility of manual configuration errors.

As the number of firewalls in your environment increases or decreases, all of the firewalls in the configuration automatically receive the IP-tag information for all applicable scopes. If you remove a firewall from an IP-tag category, this action also removes any tags associated with that category. This also makes it easier to include additional IP-tag sources after the initial firewall deployment to help you manage your network more easily as the need for growth increases.

This integrated approach allows you to maintain a consistent and granular security posture as your cloud environment evolves, without the risk of error-prone manual updates. For more information, see .