topic Re: AD Groups not working in Policies in General Topics

AD Groups not working in Policies

GWynn — Fri, 15 Sep 2023 06:00:58 GMT

Hello all, this sounds very similar to a previous post I found on here but I could not see a resolution. Very basic. I am trying to block or allow a domain user from the internet, from LAN zone to WAN zone. This will not work if I have domain\user in the Source User Field. I can see a user when I run:

admin@GeoffFirewall> show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------------------- ------- -------------------------------- -------------- -------------
172.60.1.1 vsys1 Unknown unknown 1 4
172.60.1.4 vsys1 Unknown unknown 3 6
172.60.1.3 vsys1 AD xsoar\geoff.jones 2334 2334
Total: 3 users

If I change the source to ALL then it of course works, either blocking or allowed. Thoughts??

Re: AD Groups not working in Policies

aleksandar.astardzhiev — Fri, 15 Sep 2023 07:42:36 GMT

Hi @GWynn ,

Please check the following discussion - https://live.paloaltonetworks.com/t5/next-generation-firewall/gp-amp-saml-wrong-domain-for-group-mapping/m-p/536886#M1259

Can you please provide output of the commands I have shared in my last post in the above discussion?

Also can you share little more background of your setup
- What are you using for AD? On-Prem AD or Azure AD? Are you using LDAP for group mapping?

- What are you using for user-id information? Server Monitor, User-ID agent or GlobalProtect client?

Re: AD Groups not working in Policies

GWynn — Fri, 15 Sep 2023 09:49:28 GMT

Hello @aleksandar.astardzhiev thanks. I am using Windows 2012R2 in a lab setup. I am using LDAP for group mapping yes.

I am also using server monitor, and yes in this screenshot it's timed out, it keeps doing that as well but separate issue I think!

admin@GeoffFirewall> show user user-attributes user netbios\user

admin@GeoffFirewall> show user user-attributes user fqdn.local\user

admin@GeoffFirewall> show user user-attributes user xsoar.local\user

admin@GeoffFirewall> show user user-attributes user geoffj@xsoar.local

Primary: xsoar.local\geoff.jones
Alt User Names:
1) geoffj@xsoar.local
2) xsoar.local\geoffj

admin@GeoffFirewall> show user user-attributes user xsoar.local\geoffj

admin@GeoffFirewall>

Re: AD Groups not working in Policies

aleksandar.astardzhiev — Fri, 15 Sep 2023 15:35:59 GMT

Hi @GWynn ,

What is the output from

> debug user-id dump domain-map

If you look closely you can see that ip-to-user mapping is mapping your username in the format of "xsoar\geoff.jones", but most probably your group-mapping is using the format "xsoar.local\geoff.jones" (with one additional .local)

You could confirm this also by comparing the output from ip-to-user mapping and group mapping

What is the output of the command:

> show user group name "cn=<target-user-group>,cn=users,dc=xsoar,dc=local"

Check also the links for domain-map

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFnCAK

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVDCA0

Re: AD Groups not working in Policies

GWynn — Sun, 17 Sep 2023 22:26:36 GMT

Hello, I have done this and reset the mappings as per: but now what? It appears the Palo pulls in the FQDN then converts it to Netbios name, I am still not sure how to resolve this?

 debug user-id reset group-mapping all

Restart User-ID by using the command

> debug software restart process user-id

Confirm that the domain map now exits.

> debug user-id dump domain-map

Re: AD Groups not working in Policies

GWynn — Mon, 18 Sep 2023 10:11:19 GMT

admin@GeoffFirewall> debug user-id dump domain-map

xsoar.local : xsoar
vsys1 dc=xsoar,dc=local

admin@GeoffFirewall>

______________________________________________________

admin@GeoffFirewall> show user group name "cn=full-access,cn=users,dc=xsoar,dc=local"

short name: xsoar.local\full-access

source type: ldap
source: xsoar.local-GroupMapping

[1 ] xsoar.local\geoff

admin@GeoffFirewall>

Re: AD Groups not working in Policies

aleksandar.astardzhiev — Mon, 18 Sep 2023 10:17:42 GMT

Hi @GWynn

Domain mapping look good now. However probably your group-mapping may need some adjustment.

Can you share your group mapping config?

Re: AD Groups not working in Policies

GWynn — Mon, 18 Sep 2023 10:28:08 GMT

You mean this??

Re: AD Groups not working in Policies

aleksandar.astardzhiev — Mon, 18 Sep 2023 10:30:55 GMT

Hey @GWynn ,

That is needed as well, but in addition - have you define anything in the "Domain" field on the "Server profile" tab? It looks you did, but can you confirm?

Re: AD Groups not working in Policies

GWynn — Mon, 18 Sep 2023 10:31:52 GMT

Re: AD Groups not working in Policies

GWynn — Mon, 18 Sep 2023 10:32:23 GMT

Thanks @aleksandar.astardzhiev for your help BTW!

Re: AD Groups not working in Policies

aleksandar.astardzhiev — Mon, 18 Sep 2023 10:46:31 GMT

Hey @GWynn ,

I think we are getting closer:

- Domain field in the group mapping is optional. If you add something there it will override the domain that collected by the firewall with the LDAP queries.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-users-to-groups#id44a39121-660d-4197-abe7-26c897b64e7e

(Optional) By default, the User Domain field is blank: the firewall automatically detects the domain names for Active Directory (AD) servers. If you enter a value, it overrides any domain names that the firewall retrieves from the LDAP source. For most configurations, if you need to enter a value, enter the NetBIOS domain name (for example, example not example.com).

- In addition on the "user and group attributes" you are using the default settings, which tells the user to collect sAMAccountName and userPrincipalName. This can be confirmed by looking at the user attributes that FW is assciating with user

dmin@GeoffFirewall> show user user-attributes user geoffj@xsoar.local Primary: xsoar.local\geoff.jones Alt User Names: 1) geoffj@xsoar.local 2) xsoar.local\geoffj

However since you are overriding the domain in the group-mapping that user does no longer matching.

Please try to remove the domain from the group mapping and force group-mapping refresh with

> debug user-id refresh group-mapping all

Re: AD Groups not working in Policies

GWynn — Mon, 18 Sep 2023 10:51:20 GMT

OK, I have removed the domain but when I commit I now get this!

Error: Profile compiler : failed to get PAN sinkhole ip
(Module: device)
client device phase 1 failure
Commit failed

A quick Google has not helped!

Re: AD Groups not working in Policies

aleksandar.astardzhiev — Mon, 18 Sep 2023 11:03:59 GMT

@GWynn ,

This has nothing to do with user-id and anything related to what we are trying to fix.

Sinkhole IP is used by the DNS Security, which is part of the Anti-Spyware profile. I don't recall to have seen such error, but:

- Check what spyware profiles you have created. What are you using for sinkhole ip on the DNS security tab?

- Do you have license for Theat Prevent or DNS Sec? You mentioned this is lab.

- Try to remove any spyware profiles for now, just to be able to push the config for group mapping.

Re: AD Groups not working in Policies

GWynn — Mon, 18 Sep 2023 11:05:53 GMT

Lol I know! I am not doing any of this, this really is a basic setup. I haven't created any such profiles. I have a 60 day license for everything but not long left. Thanks I'll take a look! !!!

Re: AD Groups not working in Policies

GWynn — Mon, 18 Sep 2023 11:06:48 GMT

I can't delete these...I'll keep looking...

Re: AD Groups not working in Policies

GWynn — Mon, 18 Sep 2023 11:26:56 GMT

Hello, I have had to reboot everything so let's check the state! Something didn't like something!

Re: AD Groups not working in Policies

GWynn — Mon, 18 Sep 2023 11:32:23 GMT

OK, I'm back in and deleted the Domain, committed fine and have run the below command

debug user-id refresh group-mapping all

Re: AD Groups not working in Policies

aleksandar.astardzhiev — Mon, 18 Sep 2023 11:40:01 GMT

Hey @GWynn ,

The refresh is only need to save you time and not waiting for the group-mapping update (defined in the Server profile in group mapping), Rebooting the firewall should have the exact same effect - triggering new LDAP query

Check the output from group mapping, user-ip mapping and user atttributes:

> show user group name "cn=full-access,cn=users,dc=xsoar,dc=local" > show user user-attributes user > show user ip-user-mapping all

Re: AD Groups not working in Policies

GWynn — Mon, 18 Sep 2023 12:03:20 GMT

Output:

admin@GeoffFirewall> show user group name "cn=full-access,cn=users,dc=xsoar,dc=local"

short name: xsoar\full-access

source type: ldap
source: xsoar

[1 ] xsoar\geoff

admin@GeoffFirewall> show user user-attributes user geoffj

admin@GeoffFirewall> show user ip-user-mapping all

admin@GeoffFirewall>