topic Re: How to verify group-mapping in PRISMA access in Prisma Access Discussions

How to verify group-mapping in PRISMA access

Chacko42 — Mon, 23 Mar 2020 20:52:07 GMT

Hi all,

I'm wondering, how to verify, that the group-mapping in Prisma-Access is working correctly.

We configured the Prisma as described in the admin guides, but my group-based security policies are not working as expected.

Authentication via LDAP is working via LDAPS, so I guess the LDAP-connection vor retrieving groups is working.

I would like to do a thing like "show user group list" or sth. else, I can do with on-prem firewall.

Also it would be nice to immediately trigger the group-refresh via "debug user-id refresh group-mapping all".

You get my idea, right?

Any ideas?

Regards

Chacko

Re: How to verify group-mapping in PRISMA access

SuperMario — Tue, 24 Mar 2020 16:00:11 GMT

Hi Chacko,

Unfortunately, you will have to open a TAC case to troubleshoot this. As you mentioned, you need to run some CLI commands to verify and troubleshoot the configuration.

However, here is my suggestion, from my experience, most of the time the issue is due to a format mismatch on the authentication policy vs the group mapping format.

Here is an example:

If you are using sAMAccountName on your Authentication Profile, make sure you add the same format on your Group-Mapping configuration.

Also, in a standalone Prisma Access deployment without a Master Device, you can use a group-based policy using long-form DN entries in Panorama. Prisma Access uses the DN entries to evaluate the User-ID-based policies you have configured in Panorama.
For example, given a User named Bob Alice who works in IT for Organization Hooli in the United States, a matching security policy may have ou=IT Staff,O=Hooli,C=US if the policy is to be applied to all IT staff, or CN=Bob Alice,ou=IT Staff,O=Hooli,C=US if the policy is only to be applied to Bob Alice.

Detailed instructions:

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/retrieve-user-id-information.html#id823f5b30-2c1d-4c87-9ae6-a06573455af7_id8663ef7a-f62f-44ab-9ae8-113239a11b89

Instructions for the configuration specific to Prisma Access:

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access

Best practice configuration:

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-users-to-groups.html

Multiple Username formats configuration:

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/user-id-features/support-for-multiple-username-formats.html

I hope this helps.

Re: How to verify group-mapping in PRISMA access

Sai_Tumuluri — Tue, 24 Mar 2020 13:20:27 GMT

@Chacko42

As you said if authentication and traffic policies are working properly it indicates, the group mapping is being retrieved.

The ability to directly run those commands is feature request. Please reach out to SE of the account to help to file the feature request

Re: How to verify group-mapping in PRISMA access

Chacko42 — Tue, 31 Mar 2020 18:34:22 GMT

Hi @Sai_Tumuluri: Thanks, we asked TAC to run show user group name <x> and found out, that the primary user attribute was set to "uid" - I guess that was default behavior in the early days.

A freshly installed Prisma today, got the default sAMAccountName and the audit-logs from the faulty environment found no manual configuration made on this value - however, Feature reqest is sent to local PAN SE and with correct attributes, everything is matching as expected

Re: How to verify group-mapping in PRISMA access

Sai_Tumuluri — Tue, 31 Mar 2020 18:49:37 GMT

Thank you for sharing update. Yes, TAC can help with them.

From my knowledge "sAMAccountName" was the default.

if the domain name is not populating, netbios communication might be failing. Verify with TAC help the domain is populating for users, it is imp

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/user-identification/device-user-identification-group-mapping-settings