topic Re: Security policy not working with Group Mapping in General Topics

Security policy not working with Group Mapping

MP18 — Wed, 06 Feb 2019 04:30:54 GMT

I have configured LDAP group under Group Map settings.

I have added the ldap group there.

Then under security policy source user is any and under user i added that group name.

When i do sh user group list i see the group name and user ids under it.

when i try to reach the destination ip under that rule firewall denies that traffic.

Security rule

zone1 and destination is zone 2

I have enabled used id under zone 1

When i see deny in firewall i see my user id there

Any thoughts?

Re: Security policy not working with Group Mapping

BPry — Wed, 06 Feb 2019 03:22:10 GMT

@MP18 wrote:

Traffic flow in firewall - zone1 then zone 2

Traffic has to come via Zone 1 to reach Zone2.

Security rule

zone 2 and destination is zone 3

Can you include a screenshot of the log and the security policy that you are talking about here? If I'm reading this correctly it sounds like what you are saying would make sense; if the security policy states traffic from 'zone 2' can reach 'zone 3' and then the log is identifying a source of 'zone 1' the policy shouldn't work for that traffic, as it doesn't match.

Re: Security policy not working with Group Mapping

MP18 — Wed, 06 Feb 2019 03:44:00 GMT

Re: Security policy not working with Group Mapping

MP18 — Wed, 06 Feb 2019 04:32:18 GMT

i have attached the screenshot.

same rule works fine if i just use my userd id instead of group name.

Also i have modified the traffic flow in earlier post sorry for that confusion.

Re: Security policy not working with Group Mapping

MP18 — Wed, 06 Feb 2019 04:05:34 GMT

i tsested again by removing and adding the group name it worked now.

pretty strange behaviour sometimes it works and sometimes not

Re: Security policy not working with Group Mapping

aleksandar.astardzhiev — Wed, 06 Feb 2019 11:46:53 GMT

@MP18,

Group-Mapping has default setting to poll the LDAP every 3600sec (one hour) to get the list of users for a given user group. I have seens lots of times when test user is put in the allowed user group on the AD and the user test his access immideately after that. But since the firewall is updating its information every hour, Palo Alto FW will not know that this user is already part the allowed group.

I am more interested in how do you optain the user id information? How do you perform the ip-to-user mapping, what is your source.

Other common issue I have seens is that ip-to-user mapping doesn't include the domain, while the user group-mapping does, and firewall again fail to match the user with the allowed user group.

Also what attribute are using to the username? For example user group-mapping is polling the UPN, but your ip-to-user mapping source is using CN

I would say a good start will be to compare the outpus from
> show user ip-user-mapping all

> show user group name <full-cn-of-the-allowed-group>

Re: Security policy not working with Group Mapping

MP18 — Wed, 06 Feb 2019 12:59:29 GMT

For userid we are using user id agent running on windows.

So PA talk to those user id agents and get the mapping.

for group mapping we use ldap also we use domain name with it

I have already run those commands and not much i can find in them

idle timeout for user id agent is 4 hours.

In group mappings i see update interval to default ?

should i increase the value here to like 4 hours?

Re: Security policy not working with Group Mapping

MP18 — Fri, 08 Feb 2019 04:33:37 GMT

Nothing is changed in the config.

Group mapping is working fine from last 3 days

Re: Security policy not working with Group Mapping

MP18 — Sun, 10 Feb 2019 17:05:35 GMT

still working fine with user group