topic Re: Unable to assign Security Policy to Users or Groups in General Topics

Unable to assign Security Policy to Users or Groups

MRosloniec — Thu, 23 May 2013 17:33:17 GMT

Hi -

We are using User-ID Agents to create user-to-IP mappings and I've got group mapping configured on the firewall itself and I can browse through my ldap groups. However, when I go to Policies > Security Policy I am unable to select either individual users OR groups to assign the policy to... Nothing populates. Am I missing something somewhere? Seems like it would be straight forward after configuring group mapping. Thanks!

Re: Unable to assign Security Policy to Users or Groups

gswcowboy — Thu, 23 May 2013 17:50:40 GMT

what's the output for the following?

admin@PA-200> show user group-mapping state all

Re: Unable to assign Security Policy to Users or Groups

Retired Member — Thu, 23 May 2013 18:03:44 GMT

what panos version are you using ?

if you configured user id,ldap and group mapping.and also enabled user-id on a zone

you should see users on monitor tab traffic logs.

if everythins is ok and you can't see user/group on security rule

reboot the device if you can, you'll see groups and users on security rule after that.

Re: Unable to assign Security Policy to Users or Groups

MRosloniec — Thu, 23 May 2013 18:03:50 GMT

admin@UTM21-LAB-2-B(active)> show user group-mapping state all

<response status="success"><result>
Group Mapping(vsys1, type: active-directory): Group_Mapping (job 749073)
        Bind DN    : cn=ldap-alt-paloalto,ou=users,o=alticor
        Base       : ou=groups,o=alticor
        Group Filter: (&(objectCategory=Group)(objectClass=group))
        User Filter: (&(objectCategory=person)(objectClass=user))
        Servers    : configured 1 servers
                ldap-adam-apps.intranet.local(389)
        Proxy state: QUERY_SENT
        Query agent: usnx282
        Result from: usnx282
                Last Action Time: 326 secs ago(took 6 secs)
                Next Action Time: Now (started 156 secs ago)
                Query Local Group Mapping Service:
                        Last Action Time: 326 secs ago(took 6 secs)
                        Next Action Time: Now (started 156 secs ago)
        Number of Groups: 0
</result></response>

Re: Unable to assign Security Policy to Users or Groups

gswcowboy — Thu, 23 May 2013 18:15:51 GMT

I don't see any groups being pulled. If you're not filtering groups, we should be able to pull all groups in your AD as shown below.

Group Mapping(vsys1, type: active-directory): amb

Bind DN : renato@amb.local

Base : DC=amb,DC=local

Group Filter: (None)

User Filter: (None)

Servers : configured 1 servers

172.16.20.23(389)

Last Action Time: 1 secs ago(took 0 secs)

Next Action Time: In 3599 secs

Number of Groups: 42

cn=administrators,cn=builtin,dc=amb,dc=local

cn=domain controllers,cn=users,dc=amb,dc=local

cn=remote desktop users,cn=builtin,dc=amb,dc=local

cn=distributed com users,cn=builtin,dc=amb,dc=local

cn=incoming forest trust builders,cn=builtin,dc=amb,dc=local

cn=certificate service dcom access,cn=builtin,dc=amb,dc=local

What does the ldap server profile look like? Grep after the output is displayed on your ssh terminal with the following: "/ldap" and "/group-mapping"

admin@PA-200> show config running

ldap {

amb {

server {

amb {

port 389;

address 172.16.20.23;

}

ldap-type active-directory;

base DC=amb,DC=local;

bind-dn renato@amb.local;

timelimit 30;

bind-timelimit 30;

bind-password -

ssl no;

domain amb;

group-mapping {

amb {

group-object group;

group-name name;

group-member member;

user-object person;

user-name sAMAccountName;

disabled no;

server-profile amb;

Re: Unable to assign Security Policy to Users or Groups

goku123 — Thu, 23 May 2013 18:25:03 GMT

As pointed out in the previous comment, there are no groups being pulled.

Looks like you are using the userID agent for "LDAP Proxy" to query for groups. Does the management interface of the firewall have connectivity to the domain controllers? If so, can you please try to uncheck the "LDAP proxy" checkbox on the userID agent (Device>User identification>User ID agents) and see if groups get pulled?

Re: Unable to assign Security Policy to Users or Groups

Retired Member — Thu, 23 May 2013 18:29:01 GMT

can you see groups on group mapping tab or not ?

Re: Unable to assign Security Policy to Users or Groups

MRosloniec — Thu, 23 May 2013 18:36:36 GMT

rkalugdan I have to apologize - I'm not familiar with running the grep command from the CLI. Can you provide the syntax? I'm on 5.0.4

Re: Unable to assign Security Policy to Users or Groups

MRosloniec — Thu, 23 May 2013 18:37:18 GMT

Yes, I can see groups on the group mapping tab.

Re: Unable to assign Security Policy to Users or Groups

MRosloniec — Thu, 23 May 2013 18:38:17 GMT

I initially had the Use LDAP Proxy box unchecked. I checked it as a way to try to resolve this issue.

Re: Unable to assign Security Policy to Users or Groups

gswcowboy — Thu, 23 May 2013 18:47:15 GMT

so you're now using the user-id agent as an ldap proxy to pull groups. possibly will need to review your ldap server profile to get a better understanding of the issue. glad you were able to get a work around implemented.

Re: Unable to assign Security Policy to Users or Groups

MRosloniec — Thu, 23 May 2013 18:51:17 GMT

rkalugdan -

No, using the user-id agent as an ldap proxy does not work to pull groups. It's interesting because on the Group Mapping tab (Device > User Identification > Group Mapping Settings > Group Include List), I can see all my ldap groups, browse them, etc.. however, I cannot use any of those groups to assign policy to.

Re: Unable to assign Security Policy to Users or Groups

gswcowboy — Thu, 23 May 2013 18:52:51 GMT

show us the ldap config

Re: Unable to assign Security Policy to Users or Groups

Retired Member — Thu, 23 May 2013 18:53:25 GMT

can you try to reboot your device ?

Re: Unable to assign Security Policy to Users or Groups

MRosloniec — Thu, 23 May 2013 19:01:32 GMT

What CLI command will provide the output you're looking for, rkalugdan?

Re: Unable to assign Security Policy to Users or Groups

Retired Member — Thu, 23 May 2013 19:13:35 GMT

you can use

show shared server-profile ldap

in configure mode.

Re: Unable to assign Security Policy to Users or Groups

MRosloniec — Thu, 23 May 2013 19:19:56 GMT

admin@Ada-PAN-M100(primary-active)# show template "US Lab" config shared server-profile ldap LDAP-Group-Mapping

LDAP-Group-Mapping {

server {

ldap-adam-apps.intranet.local {

port 389;

address ldap-adam-apps.intranet.local;

}

ldap-type active-directory;

timelimit 30;

bind-timelimit 30;

ssl no;

domain na;

base ou=groups,o=alticor;

bind-dn cn=ldap-alt-paloalto,ou=users,o=alticor;

bind-password -AQ==ZtJUGAV/ZcKHS4UkVNe1zXA0x2s=uvilr+9UMZiJgEAXcnLCXA==;

}

Re: Unable to assign Security Policy to Users or Groups

gwesson — Fri, 24 May 2013 00:12:23 GMT

The M-100 (and Panorama in general) will not populate users or groups when creating rules until a rule has been created with that user/group at least once. The reason for this is because of the huge amount of load it would take if you had several hundred firewalls, each with different domains configured with a single Panorama (imagine how long it would take to query each firewall, which would query each domain, and return the full group and user list).

If you create the policy local to the firewall, the group will indeed prepopulate because the scope is limited to that one firewall's set of user and group data.

Once you create a policy which has a user- or group-name on Panorama, that user/group will be available for future rules. Note that there is no integrity check, so a mistake will be allowed through and simply fail to match. I recommend copying the user data from an LDAP browser so you don't have to worry about the syntax.

Hope this helps,

Greg Wesson

Re: Unable to assign Security Policy to Users or Groups

mschuricht — Fri, 24 May 2013 00:21:56 GMT

This sound like a bug...

Was the master device selected in the Device Group configuration?

User-ID groups should be pulled from the Master Device for selection in Policy and will also be queried upon search to pull individual users as well.

Re: Unable to assign Security Policy to Users or Groups

MRosloniec — Tue, 04 Jun 2013 17:47:38 GMT

Yes there is a master device set. We went ahead and opened a case on this issue.