Configure the Security Cloud Control for cross-domain trust step 3: Resolve issues

The final step in setting up cross-domain trust in the Cloud-Delivered Firewall Management Center is to make sure users and groups are downloaded without errors. A typical reason why users and groups do not download properly is that the realms to which they belong have not been downloaded to the Cloud-Delivered Firewall Management Center.

This topic discusses how to diagnose that a group referred in one forest to cannot be downloaded because the realm is not configured to find the group in the domain controller hierarchy.

Procedure

Step 1

Log in to the Security Cloud Control.

Step 2

Click Policies > Firewall Threat Defense > Integrations > Other Integrations > Realms.

In the Realms column, if Yellow Triangle (yellow triangle icon) is displayed next to the name of a realm, you have issues that must be resolved. If not, your results are configured properly and you can quit.

Step 3

Download users and groups again from the realms that display issues.

  1. Click the Realms tab.

  2. Click (Download Now), then click Yes.

Step 4

Click the Sync Results tab page.

If the Yellow Triangle (yellow triangle icon) is displayed in the Realms column, click Yellow Triangle (yellow triangle icon) next to the realm that has issues.

Step 5

In the middle column, click either Groups or Users to find more information.

Step 6

In the Groups or Users tab page, click Yellow Triangle (yellow triangle icon) to display more information.

The right column should display enough information you can isolate the source of the issue.

You can troubleshoot user download errors when users are stored in different Active Directory repositories. Read the columns left to right. Click the triangular icon to get more information.

In the preceding example, forest.example.com includes a cross-domain group CrossForestInvalidGroup that contains another group EastMarketingUsers that was not downloaded by the Cloud-Delivered Firewall Management Center. If, after synchronizing the eastforest.example.com realm again, the error does not resolve, it likely means that the Active Directory domain controller does not include EastMarketingUsers .

To resolve this issue, you can:

  • Remove the EastMarketingUsers from CrossForestInvalidGroup , synchronize the forest.example.com realm again, and recheck.

  • Remove the ou=EastEngineering value from the Group DN of the eastforest.example.com realm, which causes the Cloud-Delivered Firewall Management Center to retrieve groups from the highest level in the Active Directory hierarchy, synchronize eastforest.example.com , and recheck.