Wasfi,
You can view the technical requirments of CFS here:
Cloud Firewall Service
https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/cloud-swg/help/cfs-about.html
Outlined there, you can see that:
- To use source conditions containing a user or group, user identity must be available to CFS using at least one of the following connection methods:
- Any supported agent (including SEP Mobile)
- Fixed-site IPsec connections with the Auth Connector for domain login detection
- Challenge-based SAML or Captive Portal authentication, which requires the IP surrogate option
- To apply policies to specific users or groups, you must implement an authentication method
- When you enable CFS, rules do not apply until IPsec or the WSS Agent is configured to forward traffic from all ports. Use a test client to validate CFS rules before enabling for all of your users.