Configure Your Network to Allow Cloud Identity Agent Traffic
Table of Contents
Expand all | Collapse all
-
- Cloud Identity Engine Attributes
- Collect Custom Attributes with the Cloud Identity Engine
- View Directory Data
- Cloud Identity Engine User Context
- Create a Cloud Dynamic User Group
- Configure Third-Party Device-ID
- Configure an IP Tag Cloud Connection
- Configure Dynamic Privilege Access in the Cloud Identity Engine
- Configure Security Risk for the Cloud Identity Engine
-
-
- Configure Azure as an IdP in the Cloud Identity Engine
- Configure Okta as an IdP in the Cloud Identity Engine
- Configure PingOne as an IdP in the Cloud Identity Engine
- Configure PingFederate as an IdP in the Cloud Identity Engine
- Configure Google as an IdP in the Cloud Identity Engine
- Configure a SAML 2.0-Compliant IdP in the Cloud Identity Engine
- Configure a Client Certificate
- Configure an OIDC Authentication Type
- Set Up an Authentication Profile
- Configure Cloud Identity Engine Authentication on the Firewall or Panorama
- Configure the Cloud Identity Engine as a Mapping Source on the Firewall or Panorama
- Configure Dynamic Privilege Access in the Cloud Identity Engine
-
- Get Help
Configure Your Network to Allow Cloud Identity Agent Traffic
Learn how to configure your network to allow traffic for the agent, your directory, and
the Cloud Identity Engine.
Depending on your network configuration and Cloud Identity Engine deployment type, allow the
traffic for the agent (if you have an on-premises directory), your directory, and
the Cloud Identity Engine.
- Based on your region, allow traffic to the hostname for the region. To determine what region-based traffic to allow, refer to the table in Configure the Cloud Identity agent.Use the ssl App-ID in your Security policy (following our recommended Decryption Best Practices guidelines) to allow traffic to the Cloud Identity Engine.If you have deployed a Palo Alto Networks firewall between the agent and the Cloud Identity Engine:The Cloud Identity agent version 1.7.0 and previous versions require direct reachability to the regional agent configuration endpoint and don't support proxy servers between the agent and the endpoint. If your network configuration uses a proxy server, you must update the Cloud Identity agent to version 1.7.1 or later.
- Use the paloalto-cloud-identity App-ID to allow traffic from the Cloud Identity agent to the Cloud Identity Engine. This App-ID requires the ssl and web-browsing application signatures.
- Allow Cloud Identity agent traffic from the specified ports to the following URLs.
- http://crl.godaddy.com on port 80.
- http://ocsp.godaddy.com on port 80.
- https://certs.godaddy.com on port 443.
- If you’re using Secure Socket Layer (SSL) decryption on the firewall, exclude the traffic between the agent and the Cloud Identity Engine from SSL decryption to allow the mutual authentication between the agent and the service.
If you have deployed a Palo Alto Networks firewall between the agent and the Active Directory:Depending on which protocol you select when you configure the Cloud Identity agent, use one of the following App-IDs to allow traffic from the Cloud Identity agent to your domain controllers.- If the agent uses the LDAP protocol, use the ldap App-ID.
- If the agent uses the LDAPS or LDAP with STARTTLS protocol, use the ssl App-ID.
If you're using a non-Palo Alto Networks firewall:- Allow LDAP or LDAPS traffic to the LDAP or LDAPS port from the Cloud Identity agent to your Active Directory or Domain Controller.
- Allow HTTPS traffic from the Cloud Identity agent on port 443 to your Cloud Identity Engine destination URL. You need to allow traffic only for the region that you specify for your tenant and you need to allow traffic for multiple regions only if you have tenants in multiple regions. For the region-specific agent configurations, refer to Configure the Cloud Identity agent.
- Allow traffic from the Cloud Identity agent from the specified ports to
the following URLs.
- http://crl.godaddy.com on port 80.
- http://ocsp.godaddy.com on port 80.
- https://certs.godaddy.com on port 443.