topic Re: For my next feat . . . User Identification and Active Directory in General Topics

For my next feat . . . User Identification and Active Directory

bdunbar — Tue, 30 Sep 2014 18:35:08 GMT

PAN-200
Software version: 6.0.1
GlobalProtect Agent: 2.0.4

Me, again. Linux/Unix guy, drafted to be the Windows / Network guy when that fellow left.

Our network reseller setup the device. I'm trying to dope this stuff out a) because their time is valuable and we're minding our dollars and b) I really need to _know_ this stuff.

My next feat is to get some of the Windows 8 peecees in the office connected through the VPN to login to the domain controller in the (remote) data center.

VPN login using Local User Database works fine: turn on the Global Protect client, and we can remote login (RDP, ssh) any resource in the data center. Great!

I've got a domain controller, and the beginnings of a nice little Active Directory setup: lookin' okay there, too.

Edit the DNS so the device is looking at my Domain Controller.

Go to Device - User Identification . User Mapping - Edit User ID Agent Setup

Fill in a valid service user in the domain, with the right groups.

Go to Server Monitoring - hit Discover: nothing.

Click Add, give it the information - status is

I think 'that's funny' and shell into the host.

admin@<redacted host> ping host 209.59.31.137

PING 209.59.31.137 (209.59.31.137) 56(84) bytes of data.

From 10.220.0.127 icmp_seq=2 Destination Host Unreachable

And I don't even know where 10.220.0.127 came from. I get that when I (try) to ping Google ...

admin@<redacted host> ping host 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

From 10.220.0.127 icmp_seq=1 Destination Host Unreachable

From 10.220.0.127 icmp_seq=2 Destination Host Unreachable

I _guess_ I've got a routing issue? All I want to be able to do is login, man, and get this thing up and running with Active Directory.

I _feel_ like I don't even know where to begin.

Re: For my next feat . . . User Identification and Active Directory

Retired Member — Tue, 30 Sep 2014 18:41:17 GMT

could you share output after typing configure

# show deviceconfig system

Re: For my next feat . . . User Identification and Active Directory

bat — Tue, 30 Sep 2014 18:53:38 GMT

Hi bdunbar

10.220.0.127 should be the IP that does not have that route to the destination 209.59.31.137 that is why it is replying with ICMP destination unreachable. This is either your default gateway in management interface settings (Device > Setup > Management ) or some device in between the path to the destination.

We will wait for you to attach the above output requested.

Thanks

Re: For my next feat . . . User Identification and Active Directory

bdunbar — Tue, 30 Sep 2014 20:00:21 GMT

output ..

admin@tn-gateway-01# show deviceconfig system

system {

ip-address 10.220.0.127;

netmask 255.255.255.0;

update-server updates.paloaltonetworks.com;

update-schedule {

threats {

recurring {

daily {

at 01:30;

action download-and-install;

}

wildfire {

recurring {

every-hour {

at 20;

action download-and-install;

}

global-protect-datafile {

recurring {

weekly {

action download-and-install;

at 03:00;

day-of-week sunday;

}

anti-virus {

recurring {

daily {

at 00:30;

action download-and-install;

}

timezone US/Central;

service {

disable-telnet yes;

disable-http yes;

}

hostname tn-gateway-01;

default-gateway 10.220.0.1;

dns-setting {

servers {

primary 209.59.29.221;

}

route {

service {

dns {

source {

address 209.59.31.140/29;

interface vlan.10;

}

email {

source {

address 209.59.31.140/29;

interface vlan.10;

}

ntp {

source {

address 209.59.31.140/29;

interface vlan.10;

}

paloalto-updates {

source {

address 209.59.31.140/29;

interface vlan.10;

}

url-updates {

source {

address 209.59.31.140/29;

interface vlan.10;

}

wildfire {

source {

address 209.59.31.140/29;

interface vlan.10;

}

ntp-server-1 209.118.204.201;

domain corp.cicayda.com;

}

[edit]

admin@tn-gateway-01#

Re: For my next feat . . . User Identification and Active Directory

hshah — Tue, 30 Sep 2014 20:05:45 GMT

Hi Bdundbar,

IP address and default gateway looks good, in that case I think firewall is not learning ARP entry for default gateway.

destination host unreachable

Can you ping default gateway or does firewall learn ARP entry for default gateway.

Regards,

Hardik Shah

Re: For my next feat . . . User Identification and Active Directory

bdunbar — Tue, 30 Sep 2014 20:17:14 GMT

"Can you ping default gateway"

Nope.

admin@tn-gateway-01> ping host 10.220.0.1

PING 10.220.0.1 (10.220.0.1) 56(84) bytes of data.

From 10.220.0.127 icmp_seq=3 Destination Host Unreachable

From 10.220.0.127 icmp_seq=4 Destination Host Unreachable

From 10.220.0.127 icmp_seq=5 Destination Host Unreachable

From 10.220.0.127 icmp_seq=6 Destination Host Unreachable

--- 10.220.0.1 ping statistics ---

7 packets transmitted, 0 received, +4 errors, 100% packet loss, time 6023ms

, pipe 3

"or does firewall learn ARP entry for default gateway."

You lost me. Sorry: I don't know where to find a value like that? If it helps .. my arp table ..

admin@tn-gateway-01> show arp all

maximum of entries supported : 500

default timeout: 1800 seconds

total ARP entries in table : 14

total ARP entries shown : 14

status: s - static, c - complete, e - expiring, i - incomplete

interface ip address hw address port status ttl

--------------------------------------------------------------------------------

ethernet1/4 209.59.29.194 00:25:90:d1:e9:36 ethernet1/4 c 315

ethernet1/4 209.59.29.195 00:25:90:af:44:44 ethernet1/4 c 744

ethernet1/4 209.59.29.196 00:25:90:d1:ea:88 ethernet1/4 c 999

ethernet1/4 209.59.29.199 00:25:90:d1:e9:07 ethernet1/4 c 756

ethernet1/4 209.59.29.201 a0:36:9f:1d:fe:8c ethernet1/4 c 849

ethernet1/4 209.59.29.203 00:0c:29:f7:8b:ba ethernet1/4 c 547

ethernet1/4 209.59.29.210 a0:36:9f:21:96:f0 ethernet1/4 c 1722

ethernet1/4 209.59.29.221 00:0c:29:ab:17:b0 ethernet1/4 c 1788

ethernet1/4 209.59.29.222 00:0c:29:75:a7:f9 ethernet1/4 c 1423

ethernet1/4 209.59.29.224 00:0c:29:ff:4f:54 ethernet1/4 c 1799

ethernet1/4 209.59.29.254 54:e0:32:f3:2d:81 ethernet1/4 c 1659

vlan.10 209.59.31.137 00:00:0c:07:ac:0d ethernet1/1 c 1221

vlan.10 209.59.31.138 84:78:ac:55:d1:c1 ethernet1/1 c 1669

vlan.10 209.59.31.139 d8:67:d9:0f:05:41 ethernet1/2 c 1669

Which causes me to realize a thing, that may or may not be relevant.

I was having a time getting the hypervisors to talk on the vlan set aside for the 'private' 10.x.x.x network, so put my first round of hosts in the 209.59.29.193/26 network, hanging off ethernet 1/4. After this deployment is done, I said, I'd go back and figure out what the problem is.

Re: For my next feat . . . User Identification and Active Directory

Retired Member — Tue, 30 Sep 2014 20:21:43 GMT

used many service route configuration probably management interface has no access to internet and AD either.You may change Active Directory access interface.

Go to Device/Setup/Services/Service Route Configuration Choose destination as AD ip address and choose your LAN interface and IP.(which can access to AD)

Re: For my next feat . . . User Identification and Active Directory

hshah — Tue, 30 Sep 2014 20:22:12 GMT

Hi Bdunbar,

Command to view management interface arp is " show arp management". In this case I am very positive firewall is not learning ARP for default gateway. Hence everything is unreachable just from management interface.

Regards,

Hardik SHah

Re: For my next feat . . . User Identification and Active Directory

hshah — Tue, 30 Sep 2014 20:23:59 GMT

Hi Bdunbar,

You can route user-id traffic through dataplane. You need to configure service route. Refer following document.

Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI

Regards,

Hardik Shah

Re: For my next feat . . . User Identification and Active Directory

bdunbar — Tue, 30 Sep 2014 21:52:14 GMT

That did it, thank you very much.

Re: For my next feat . . . User Identification and Active Directory

bdunbar — Tue, 30 Sep 2014 21:52:35 GMT

That was the trick - thank you very much.