https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-to-be-used-in-security-policy-fw-not-offering-user-group/m-p/550907#M1577 <P>Hello Szi7443,</P> <P>&nbsp;</P> <P>Are you doing the configuration from Panorama or the firewall?</P> <P>On the firewall, do you see the groups when you try to configure the user/groups?</P> <P>If yes, that’s ok.</P> <P>If not, review the config on the firewall, on CLI you can look for the group list.</P> <P>&nbsp;</P> <P>if you are having the issue on Panorama.</P> <P>- do the check on the firewall</P> <P>if Firewall OK, make sure the device group has master device defined. This firewall will send the group mapping to Panorama.</P> <P>if fw not ok, investigate on firewall.</P> <P>&nbsp;</P> <P>Olivier</P> Tue, 25 Jul 2023 12:57:09 GMT ozheng 2023-07-25T12:57:09Z https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-to-be-used-in-security-policy-fw-not-offering-user-group/m-p/550177#M1548 <P>Hi,</P> <P>&nbsp;</P> <P>I have problem with User-ID not being selectable when creating/editing security policy rule.</P> <P>&nbsp;</P> <P>Setup is as followed:</P> <UL> <LI>branch firewalls connected to Panorama</LI> <LI>Firewall 3400 with 10.2.4 software</LI> <LI>LDAP server configured</LI> <LI>Authentication profile configured</LI> <LI>Included groups in "user identification" configured</LI> <LI>User-ID configured (i am seeing domain\username in traffic log)</LI> <LI>On zones in question, I have user-id enabled</LI> </UL> <P>Command <EM> show user group-mapping state &lt;included group name&gt; </EM>shows no errors connecting to LDAP. Command show user group name domain\groupname shows members of the group.</P> <P>&nbsp;</P> <P>So with given being displayed and working, I would say that there's no obstacle in configuring usernames groups in the security policy rules. Yet I can't figure out why firewall is not offering me group drop-down and when I fill in domain\groupname to "source user", that AD group or user gets black background which as per my understanding indicates that user or group weren't found.</P> <P>&nbsp;</P> <P>Thanks in advance for any hints.</P> <P>&nbsp;</P> Thu, 20 Jul 2023 14:33:03 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-to-be-used-in-security-policy-fw-not-offering-user-group/m-p/550177#M1548 szi7443 2023-07-20T14:33:03Z https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-to-be-used-in-security-policy-fw-not-offering-user-group/m-p/550182#M1549 <P>Edit: It looks like all is working well. I have created a rule on position let's say 10 that contains 1 user called X (the background is black with red letters). Rule 11 is much more broader rule where internet access of user X would be taken care of if user X would not be taken care of by rule 10. The hit count is rising also for rule 10. <BR /><BR />So it seems that all is configured well, it only puzzled me that with every demo I saw on this topic, the presenter has list of users / groups in "select user" dropdown <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Thu, 20 Jul 2023 15:28:21 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-to-be-used-in-security-policy-fw-not-offering-user-group/m-p/550182#M1549 szi7443 2023-07-20T15:28:21Z https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-to-be-used-in-security-policy-fw-not-offering-user-group/m-p/550191#M1550 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/304674">@szi7443</a> ,</P> <P>&nbsp;</P> <P>That is very interesting!&nbsp; I am running 10.2.4-h2 and my groups show up under Source User when I click Add.</P> <P>&nbsp;</P> <P>I have never encountered the black background.&nbsp; There have been times (e.g., Panorama) where the dropdown was not available, and I pasted the group in.&nbsp; It worked fine.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 20 Jul 2023 15:35:17 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-to-be-used-in-security-policy-fw-not-offering-user-group/m-p/550191#M1550 TomYoung 2023-07-20T15:35:17Z https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-to-be-used-in-security-policy-fw-not-offering-user-group/m-p/550907#M1577 <P>Hello Szi7443,</P> <P>&nbsp;</P> <P>Are you doing the configuration from Panorama or the firewall?</P> <P>On the firewall, do you see the groups when you try to configure the user/groups?</P> <P>If yes, that’s ok.</P> <P>If not, review the config on the firewall, on CLI you can look for the group list.</P> <P>&nbsp;</P> <P>if you are having the issue on Panorama.</P> <P>- do the check on the firewall</P> <P>if Firewall OK, make sure the device group has master device defined. This firewall will send the group mapping to Panorama.</P> <P>if fw not ok, investigate on firewall.</P> <P>&nbsp;</P> <P>Olivier</P> Tue, 25 Jul 2023 12:57:09 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-to-be-used-in-security-policy-fw-not-offering-user-group/m-p/550907#M1577 ozheng 2023-07-25T12:57:09Z https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-to-be-used-in-security-policy-fw-not-offering-user-group/m-p/551091#M1583 <P>Hi, I am configuring everything form Panorama.</P> <P>&nbsp;</P> <P>I am not aware of what you mean exactly with "on the firewall". If I SSH to the firewall, I can see the user-id mappings and members of the groups retrieved from AD with commands like:</P> <UL> <LI>show user group name domain\group_name</LI> <LI>show user ip-user-mapping all</LI> </UL> <P>The thing is that Panorama is not providing me the values in dropdown when configuring a firewall rule. The original issue can be considered as solved. However, I would still ask two things: </P> <UL> <LI>When configuring user-id, it did not work for me without an authentication profile. Did I misunderstand something or that auth profile is indeed useless for user-id?</LI> <LI>When configuring an application in firewall rule, some of the apps have red gear icon - what does that mean?</LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 26 Jul 2023 13:20:26 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-to-be-used-in-security-policy-fw-not-offering-user-group/m-p/551091#M1583 szi7443 2023-07-26T13:20:26Z https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-to-be-used-in-security-policy-fw-not-offering-user-group/m-p/551100#M1585 <P>Panorama is not pulling directly the mapping, it is a firewall doing that.</P> <P>So if you want to have the group on Panorama, Panorama needs to pull it from a Device (you can search for "User-ID Panorama Master Device".</P> <P>&nbsp;</P> <P>Authentication Profile? If you set up a captive portal that is the only use case with authentication profile.</P> <P>Red gear icon, I would suspect there is an override somewhere..<BR />Anyway, if you want to discuss more about it, better open a new discussion and profile at least a screenshot or you can also open a case to TAC.</P> <P>&nbsp;</P> <P>Olivier</P> Wed, 26 Jul 2023 14:30:50 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-to-be-used-in-security-policy-fw-not-offering-user-group/m-p/551100#M1585 ozheng 2023-07-26T14:30:50Z