topic Re: TIP: LDAP Group Mappings in a mixed 6.x and 7.x environment with Panorama in General Topics

TIP: LDAP Group Mappings in a mixed 6.x and 7.x environment with Panorama

mlinsemier — Wed, 16 Sep 2015 16:53:17 GMT

All,

I thought I would share a quick tip for those people that may be considering upgrading from 6.x to 7.x in an environment where you are using Panorama.

In PAN-OS 7.x, the information of your Active Directory domain has been moved from the LDAP settings to the Group Mapping Settings. As the first step in upgrading to 7.x is upgrading your Panorama server, you will immediately notice that this field is no longer available in the template.

This setting has been moved to Group Mappings:

If you push this template to any devices that are running PAN-OS 6.x, the domain field in the LDAP settings will become empty which can cause your users in groups to return the wrong mapping without the domain. In our case, it caused the following to happen:

User-ID

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------

X.X.X.X vsys1 UIA <domain>\mlinsemier 40 40

Group Mapping:

short name: <domain>\pan-downloads-it

source type: proxy
source: Group Mapping - Domain

[1 ] \mlinsemier
[2 ] \jsmith
[3 ] \jdoe

You will notice that the user names in the Group Mapping are missing the domain portion. This causes any rules that you have setup based on groups not to map correctly.

To fix the issue, you must push your template and then create a local override on each PAN-OS 6.x firewall for each LDAP group and enter your domain.

One thing also to note is that when you upgrade a firewall to PAN-OS 7.x, Panorama may still show that your Templates for that devife a re still '"in Sync" after the upgrade. We didn't re-push the templates after the upgrade to our PAN-OS 7.x firewalls, which meant that the domain field in Group Mapping was blank and caused the same issues. Once we pushed them, the information was populated from the template and all was fixed.

I thought I would share this just in case others are in a similar boat as we were. YMMV.

-Matt

Re: TIP: LDAP Group Mappings in a mixed 6.x and 7.x environment with Panorama

cpainchaud — Thu, 17 Sep 2015 09:09:41 GMT

This is very useful feedback from the field. Thank you !!!

I am actually curious : did you create a TAC case ? IMO it should be highlighted as a bug , a mechanism should be in place to support PANOS 6.0<

Re: TIP: LDAP Group Mappings in a mixed 6.x and 7.x environment with Panorama

mlinsemier — Thu, 17 Sep 2015 13:26:34 GMT

This actually surfaced as two different TAC cases, Panorama 7.x with PAN-OS 6.x clients and PAN-OS 7.x Group Mappings not working. We had both of them open at the same time (was waiting for more troubleshooting for the initial case), when through troubleshooting myself it dawned on me what was happening.

I did ask TAC to forward this to engineering and also sent this up to my Palo Alto SE to ask him to create a bug for this. In a mixed environment, Panorama will need to know the PAN-OS to determine now to configure LDAP and Group Mapping, which right now I don't know if this is possible.

Anyways, glad it was helpful. I love the Palo Alto product and figured if I can give back to the community to save at least one other engineer hours of troubleshooting, it's a good thing.

-Matt