>
    Strata Copilot
    Identify Users and Devices with Cloud Identity Engine
    Focus
    Download PDF
    Focus
    1. Home
    2. Identity
    3. Identify Users and Devices with Cloud Identity Engine
    Download PDF
    Identity

    Identify Users and Devices with Cloud Identity Engine

    Table of Contents

    Identify Users and Devices with Cloud Identity Engine

    Learn about CIE directories and identity redistribution.
    Where Can I Use This?What Do I Need?
    • NGFW
    • Prisma Access
    		The Cloud Identity Engine service is free; however, the enforcement points utilizing directory data may require specific licenses. Click here for more information.
    Network security relies on knowing exactly who is accessing your resources and understanding their current context. The Cloud Identity Engine goes beyond simple usernames by actively monitoring specific user details—called attributes—such as department, office location, and job title. Instead of relying on static lists that require manual updates, the engine uses this data to keep track of users in real-time. For instance, if an employee moves from the "Marketing" department to "Finance," the engine detects this change immediately and automatically updates their access rights, ensuring that security policies are always based on the user's current role rather than outdated information.
    • Directory Integrations– To gather this information, the engine employs a Directory Sync service. For on-premises infrastructure, a lightweight Cloud Identity Agent securely communicates with local directories to collect attributes without requiring inbound ports to be opened on your domain controllers. For cloud-native identity providers, the engine connects directly via APIs or the System for Cross-domain Identity Management (SCIM) protocol. This ensures that your security infrastructure always has a current, read-only view of who is on the network, regardless of where the user identity actually resides.
    • Identity Redistribution– Once identity data is centralized, the Cloud Identity Engine redistributes it to your enforcement points—such as Next-Generation Firewalls, Panorama, and Prisma Access—through a feature called User Context. Instead of configuring complex, peer-to-peer redistribution meshes where every firewall must share mappings with every other device, your security devices simply subscribe to the Cloud Identity Engine. This streamlined approach ensures that user-to-IP mappings, device tags, and group memberships are shared instantly across the entire enterprise, enabling you to write consistent, identity-based security policies that follow users wherever they go.
    To start identifying users, Configure Directories for User Identification.

    © 2026 Palo Alto Networks, Inc. All rights reserved.