https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28813#M21038 <HTML><HEAD></HEAD><BODY><P>Hello, you need need to setup a user ID agent to collect user &gt; IP mappings. This can be done with the internal user ID Agent built in to the device or by using the external Windows User ID Agent. </P></BODY></HTML> Wed, 14 Aug 2013 16:18:57 GMT jteetsel 2013-08-14T16:18:57Z https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28812#M21037 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>We received our first pan 3020 Monday and I have been trying to learn about the product in order to setup for production. I'm making good progress so far, but I have run into an issue importing AD users. I setup group mapping and I'm able to see groups that were imported, but no users. What am I missing?</P><P></P><P>Thanks in advance for your help.</P></BODY></HTML> Wed, 14 Aug 2013 16:03:32 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28812#M21037 jbo 2013-08-14T16:03:32Z https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28813#M21038 <HTML><HEAD></HEAD><BODY><P>Hello, you need need to setup a user ID agent to collect user &gt; IP mappings. This can be done with the internal user ID Agent built in to the device or by using the external Windows User ID Agent. </P></BODY></HTML> Wed, 14 Aug 2013 16:18:57 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28813#M21038 jteetsel 2013-08-14T16:18:57Z https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28814#M21039 <HTML><HEAD></HEAD><BODY><P>Have you configured ip user mapping as well. Please configure IP user mapping on the firewall, with either the agent or the agentless feature</P><P></P><P>You can view the users using the below commands:</P><P></P><P>&gt;show user group list</P><P>This shows the groups that are learnt from the AD</P><P></P><P>&gt;show user group name &lt;group-name&gt;</P><P>This command shows the users associated to that group</P><P></P><P>BR,</P><P>Karthik </P></BODY></HTML> Wed, 14 Aug 2013 16:19:21 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28814#M21039 kprakash 2013-08-14T16:19:21Z https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28815#M21040 <HTML><HEAD></HEAD><BODY><P>so you use agentless system ? you configured user identification tab/user mapping&nbsp; and enabled user identification on the zone you need ?</P></BODY></HTML> Wed, 14 Aug 2013 16:21:07 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28815#M21040 Retired Member 2013-08-14T16:21:07Z https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28816#M21041 <HTML><HEAD></HEAD><BODY><P>Currently I'm agentless. I setup the User Mapping and added server monitors for my dc's. I have Group Mapping Settings setup. LDAP is also setup, but when I click on a policy it only shows groups and no users.</P></BODY></HTML> Thu, 15 Aug 2013 03:08:35 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28816#M21041 jbo 2013-08-15T03:08:35Z https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28817#M21042 <HTML><HEAD></HEAD><BODY><P>can you verify if the user mapping shows up the user, use following command to check the same</P><P>&gt; show user ip-user-mapping all</P><P>If the user is present can you try manually type in the username i.e first couple of letters</P></BODY></HTML> Thu, 15 Aug 2013 03:18:17 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28817#M21042 sraghunandan 2013-08-15T03:18:17Z https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28818#M21043 <HTML><HEAD></HEAD><BODY><P>I just stumbled into my issue. Under "Server Profiles", "LDAP" I had domain.local in the domain field. So it was listing all of my users as domain.local\username. So when I was trying to find the users they didn't show up as domain\username. Amazing such a problem from one little field. </P><P></P><P>Thanks for all the help guys.</P></BODY></HTML> Thu, 15 Aug 2013 03:19:43 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28818#M21043 jbo 2013-08-15T03:19:43Z https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28819#M21044 <HTML><HEAD></HEAD><BODY><P>It's because you provide domain.local - change it to domain</P><P>please read this topic <A __default_attr="5050" __jive_macro_name="thread" class="jive_macro jive_macro_thread" href="https://live.paloaltonetworks.com/"></A></P><P></P><P>Regards</P><P>Slawek</P></BODY></HTML> Thu, 15 Aug 2013 09:32:07 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28819#M21044 _slv_ 2013-08-15T09:32:07Z https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28820#M21045 <HTML><HEAD></HEAD><BODY><P>Hi Jbo, </P><P>In the ldap profile under domain it is suppose to be netbios domain name and not FQDN. If you specify a wrong netbios domain name then the mapping will be incorrect and policies will not work correctly either. The reason is it appends the netbios domain name&nbsp; you specify when it mapping the users. Hope that helps.</P><P>Thanks</P><P>Numan</P></BODY></HTML> Thu, 15 Aug 2013 15:21:48 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-help/m-p/28820#M21045 mbutt 2013-08-15T15:21:48Z