topic Re: User identification in security policy in General Topics

User identification in security policy

ArkadiuszSmolarek — Mon, 07 Sep 2020 12:16:39 GMT

Hello,

I have a problem with configuration of user identification in security policy. What is the target: for some users who login to VPN via GlobalProtect I would like to limit them to some specific subnet. Users login to VPN using their Active Directory accounts (via Radius). I created LDAP profile, group mapping and security policy (with source group). I also in AD created some groups and added users to them. When I check on CLI: show user group name GROUP-NAME I see users belongs to the group but when I login via GP I don't have access to resources permited in policy. Where can be the problem?

Thank you for any help.

Regards

Re: User identification in security policy

kiwi — Mon, 07 Sep 2020 12:41:24 GMT

Hi @ArkadiuszSmolarek ,

I would be helpful to know how the firewall is identifying the traffic/session.

Is the traffic being denied by your general deny rule ? Can you check the session info (userinfo/zones/destinations/etc ...) and verify if everything is matching according to the rule you've configured ?

Cheers,

-Kiwi.

Re: User identification in security policy

ArkadiuszSmolarek — Mon, 07 Sep 2020 12:44:20 GMT

Hi,

Yes, the traffic that should be identified by created by me security rule is hit by default deny rule.

The rule created by me have 0 hits.

Regards

Re: User identification in security policy

Abdul-Fattah — Mon, 07 Sep 2020 13:14:02 GMT

I would check the Firewall Traffic Logs, and look for the IP of GP-User and see if user-ID has been correctly identified.

check User-ID Logs too

Re: User identification in security policy

ArkadiuszSmolarek — Mon, 07 Sep 2020 13:32:14 GMT

In the traffic log and User-ID log I see correct user identification:

Re: User identification in security policy

Abdul-Fattah — Mon, 07 Sep 2020 13:41:06 GMT

can you also share your security Policy pls.

Re: User identification in security policy

ArkadiuszSmolarek — Mon, 07 Sep 2020 13:53:55 GMT

Re: User identification in security policy

Abdul-Fattah — Mon, 07 Sep 2020 18:48:41 GMT

what you see in traffic log is the User-ID detected from GP login and not same as "Omintech\asmolarek".

enable User-ID agent, from "Device-->UserIdentification" with the crossponding login-information and make sure you select "Allow Matching username without domains"

after that the traffic should be matched by the secrutiy Policy

Good luck.

Re: User identification in security policy

ArkadiuszSmolarek — Tue, 08 Sep 2020 06:17:09 GMT

Thanks, it works 🙂