User/Group based policy questions

Sly_Cooper — Tue, 29 Jan 2013 12:45:49 GMT

Hi,

I have a need to configured user/group based policy. I having difficulties with the same and have multiple questions. I hope someone will help me with the configuration.

1. We push all our policies from Panorama. Can I configure user/group based policy on Panorama and push to all firewalls?

2. I have pushed the LDAP config from Panorama to all firewalls. Can I use the same in group mapping?

3. Do I need to configure group mapping before using the group or users in that group in the policy?

4. I have a scenario wherein I have configured local LDAP profile along with the Panorama pushed one. Although I can browse the group and create the group mapping, I cannot find any users which are part of that group from CLI

5. I have also found out that PA firewalls have issue browsing distribution groups. It can find security groups in active directory without any problem. Did anyone come across the same or know this limitation?

I already have a support case open however there is no resolution yet.

Thanks in advance.

Re: User/Group based policy questions

Sly_Cooper — Fri, 01 Feb 2013 14:48:09 GMT

I managed to pass the first hurdle. Pushing user-id/group based policies via Panorama is possible. Under Panorama -> Device Groups -> There is an option called as "Master Device" (refer screenshot below). If you add a device here and if that device has the LDAP, Group Mapping etc. configured then Panorama can pull the user/group information from it. I was able to create an active directory group based policy via Panorama. Now the next pending is, do I need to have Group Mapping created on the individual device where the policy is pushed.

topic Re: User/Group based policy questions in General Topics

User/Group based policy questions

Re: User/Group based policy questions