topic Re: Using Users instead of Groups in Policies - Help please in General Topics

Using Users instead of Groups in Policies - Help please

zearth — Wed, 24 Aug 2016 17:08:28 GMT

Hello all,

I'm new to PA but I'm really enjoying it...anyway, I've read everything I could find aboud group mappings, and one very good link is https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-User-ID/ta-p/69321 .. but it only show how to use a group in a policy.

Is it possible to use a "user" instead of a group in a policy? It seems I can only manage to retreive group info (user-id ip mappings are working through an Agent).

Thank you

Re: Using Users instead of Groups in Policies - Help please

Brandon_Wertz — Wed, 24 Aug 2016 18:44:02 GMT

Yes, I'm able to build a security policy using a specific user ID and not just a security group.

Re: Using Users instead of Groups in Policies - Help please

zearth — Wed, 24 Aug 2016 18:51:16 GMT

Thank you for your reply Brandon, can you please elaborate a bit more on how you did it? Am I missing something ? On the Staff group I have users inside (Staff1, etc)

Thank you in advance

Re: Using Users instead of Groups in Policies - Help please

BPry — Wed, 24 Aug 2016 19:47:45 GMT

Generally speaking you would want to include the user domain in your Server Profile, it looks like you would have zearthlink. Try giving that a shot and see if it gives you options to your user list; it may also be a good idea to verify that you actually have the right permissions setup, PAs require more permissions then most server admins would feel is necessary so often times I see them not actually have every permission that they need.

Re: Using Users instead of Groups in Policies - Help please

Brandon_Wertz — Wed, 24 Aug 2016 20:25:22 GMT

Yeah like @BPry said, I didn't have to do it from the group mapping, it's all probably because of a lack of permissions on the account you're using in the Palo to query AD. When I create a new security rule I'm able to just enumerate the domain and find the correct user accounts that are necessary.

Re: Using Users instead of Groups in Policies - Help please

zearth — Wed, 24 Aug 2016 20:26:20 GMT

Thank you Bpry for your comment. Unfortunately it didn't sort the issue out.

As for the account permissions, its the same I use for the user agent:

I even already tried with the "administrator" account (it's only a lab so not really a concern 🙂 ) without success.

If anyone have another idea please share it

Thank you in advance

Re: Using Users instead of Groups in Policies - Help please

BPry — Thu, 25 Aug 2016 15:20:19 GMT

It really sounds like you just don't have something configured properly on the AD side of things. Have you modified the properties on CIMV2 in WIM, have you actually enabled User Identification on the actual zone (this would explain why your accounts listed can't be used)? If you run show user ip-user-mapping all do you actually get anything listed or does nothing show up? You could verify well have multiple issues here that are masquerading as one

Re: Using Users instead of Groups in Policies - Help please

zearth — Thu, 25 Aug 2016 16:09:12 GMT

Hello Bpry,

thank you for getting back to me again. I have user identification enabled on LAN, gave FULL permissions to the panadmin account and even tried the administrator account:

I can see the user logged (staff1) and it's ip address but still can't filter by users, just groups 😕

Thank you in advance

Re: Using Users instead of Groups in Policies - Help please

zearth — Thu, 25 Aug 2016 16:33:00 GMT

Ok, I feel ashamed now..... It was working all along, I just needed to start typing the username for it to recognize because by default the users don't appear on the list :|:|:|:|:| Not really intuitive 😕 .. days lost!!!

I really appreciated your help on this guys, sorry for the wasted time.

Best regards