topic Re: Want to create a security policy based on domain user group. in General Topics

Want to create a security policy based on domain user group.

jbaublitz — Thu, 13 Sep 2012 17:49:05 GMT

Hi, I would like to set up a security policy based on a group a user belongs to on my AD. I've set up the LDAP, and USER ID client on the server, but when I go to create the security rule, nothing shows up in the add box for the user. Even if I click the drop down, or start to type the domain/username info. I'm thinking I missed a step, or something. Can anyone recommend somethings I should check, or point me in the direction of some good documents?

Thanks!!

Re: Want to create a security policy based on domain user group.

sdurga — Thu, 13 Sep 2012 18:17:17 GMT

Here is a document that explains how to configure User-ID agent and the LDAP server group mappings.

https://live.paloaltonetworks.com/docs/DOC-3120

If you have all the configuration set according to the document. I would ask you to check whether the firewall is actually pulling the user-groups information. This can be verified with the command " show user group-mapping state all" . If you are able to see all the groups information in the output then the group mapping is working properly. So you might want to try using different browsers to create security rules and see if it helps.

Thanks,

Sandeep T

Re: Want to create a security policy based on domain user group.

UhMayYeah — Thu, 13 Sep 2012 18:26:12 GMT

If the firewall isn't showing User Info:

Verify if the Agent is the User-Mapping :

CLI command to verify User-IP Mapping (Done by User-Id Agent)

>show user ip-user-mapping

If you see this command not showing IP-User Mapping :

Check if the Agent is connected also verify if you see Discovered Users on the Agent (Monitor).

Refer:

User Identification Initial Setup

https://live.paloaltonetworks.com/docs/DOC-3664

If IP-User Mapping is being done as expected verify LDAP config for User-Group Mapping

CLI command to verify User-Group Mapping (Done by Firewall via LDAP)

Enlists Users in the group (Included Groups in LDAP/All if No Included Groups configured)

>show user group name <value>

User Identification Tech Note PAN-OS 4.1

https://live.paloaltonetworks.com/docs/DOC-3120

-Ameya

Re: Want to create a security policy based on domain user group.

sdurga — Thu, 13 Sep 2012 20:57:26 GMT

You can also try resetting the user-id manager with the command "debug user-id reset user-id manager type all" and also "debug software restart user-id" from the cli

Sandeep T

Re: Want to create a security policy based on domain user group.

jbaublitz — Fri, 14 Sep 2012 18:19:29 GMT

Hi Guys,

Thanks for the suggestions and help.

Looks like my PAN box is mapping users to IP's.

Here is what I see what I run show user ip-user-mapping:

IP Ident. By User Idle Timeout (s) Max. Timeout (s)

--------------- --------- -------------------------------- ---------------- ----------------

10.2.131.95 AD in\amorse 3499 3499

10.134.193.219 AD in\kwoodward 3499 3499

10.130.193.238 AD in\bucstudent 3499 3499

When I run: show user group list

I don't get anything back. I'm thinking this is where the problem is.

This looks odd to me too:

show user group-mapping state all

Group Mapping(vsys1, type: active-directory): test

Bind DN : PANBOX@IN.SCU.K12.CA.US

Base : DC=in,DC=scu,DC=k12,DC=ca,DC=us

Group Filter: (None)

User Filter: (None)

Servers : configured 1 servers

10.1.20.112(3268)

Proxy state: QUERY_SENT (no result back from agent)

Query agent: ADMASTER2

Result from:

Last Action Time: (Never)

Next Action Time: In 2 secs

Number of Groups: 0

Thanks again for everyone's support! Can't wait to get this going!

Jeff

Re: Want to create a security policy based on domain user group.

zarina — Sat, 15 Sep 2012 14:14:20 GMT

Jeff,

From the output, the agent has not responded back to the firewall with the groups. Make sure the agent and firewall have connectivity and the agent can reach the DC to pull groups. Can you try to bypass the agent and pull the groups directly from DC?

Thanks,

Sri

Re: Want to create a security policy based on domain user group.

_slv_ — Wed, 19 Sep 2012 06:52:55 GMT

jbaublitz,

I got the same errors like You.

In my situation problem was in Device > User Identyfication> Group Mapping Settigs > Group Include list - if you click on "+" you should see yor groups. I got error insted list of group.

To fix it go to Server Profiles > LDAP - server should be reached at 389 port according to

http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx

Slawek

Re: Want to create a security policy based on domain user group.

etank — Fri, 21 Sep 2012 04:24:04 GMT

When you go to Device->Authentication Profile->(open profile up)->Login Attribute

What value is listed there? Mine was blank, and when I put in the value "sAMAccountName" everything started to work like magic. Does that help?

Re: Want to create a security policy based on domain user group.

etank — Fri, 21 Sep 2012 04:32:51 GMT

If you've already got that part working - have you looked at your Group Include List?

Device->User Identification->Group Mapping Settings->Group Include List (tab)

Expand your domain and then find the groups you want - then add them to the list... you can use these in your security policies if they are listed here. Does that help?

Re: Want to create a security policy based on domain user group.

jbaublitz — Mon, 24 Sep 2012 20:13:26 GMT

Got it working... The problem was the PAN box was set to Proxy the groups from the agent to the Box. Support went in and turned off the proxy, and all the groups showed up... Thanks for everyone's help and advice.

Jeff