topic Re: AD Groups in Firewall Policy - Inconsistent Behaviour in General Topics

AD Groups in Firewall Policy - Inconsistent Behaviour

apackard — Wed, 10 Oct 2012 16:03:21 GMT

I have two issues with managing firewall policies when using AD groups; running 4.1.7 - so am using the 'on-hardware' group retrieval rather than the PAN Agent.

1) When adding new groups to be mapped they do not appear in the GUI i.e. cannot be selected for a policy from the 'drop down' selector. This will usually fix itself after a random amount of time - hours or days (and this occurs even when, using the command line interface, I have confirmed that the group is being populated and tracked by the firewall using the show users groups name command etc).

2) The Palo policy UI seems to randomly display the groups (and users) in either AD format or X500(?) format i.e. sometimes it uses acme\auser and othertimes it uses cn=auser, ou=users, o=acme

This occurs both on the PA firewalls and our Panorama install.

It's annoying more than anything, as we can usually work our way round the issue, but understanding why it doesn't behave consistently would be a bonus!

Rgds

Re: AD Groups in Firewall Policy - Inconsistent Behaviour

PYNICOLAS — Wed, 10 Oct 2012 16:09:45 GMT

I've the same trouble with PANOS version 4.1.9.

Rgds

Re: AD Groups in Firewall Policy - Inconsistent Behaviour

apackard — Wed, 10 Oct 2012 16:16:53 GMT

I've just got a little further forward.

My PA's are in HA pairs and it looks as if maybe only the active device will update the GUI etc to make the new groups visible.

As (in the scenario I have at the moment) the passive PA is the one set as the master device for that group in Panorama, it looks as if Panorama won't make it available in the policy section either. I have just switched the master device to the currently active PA and now I can select the newly mapped group in the Panorama policy, and push to the HA pair.

Not sure if the policy will work properly on the (currently) passive box if it is promoted to live though....

Or - it was just luck that the GUI decided to update at the time I was testing that scenario!

Re: AD Groups in Firewall Policy - Inconsistent Behaviour

ND — Thu, 11 Oct 2012 21:38:58 GMT

I've not seen the new group mapping issue before but suspect that the config push from Panorama may also replicate the change to the other node (including the new group) although you may want to log a call with support to confirm correct functionality but also so that they can keep track of this.

The user issue (acme\auser vs cn=auser) described is something that will be addressed in 4.1.9 - this was identified as a cosmetic issue and does not impact functionality. For clarity, 4.1.8 is the latest code and was released mid September.

Re: AD Groups in Firewall Policy - Inconsistent Behaviour

CRT-Capital — Tue, 12 Feb 2013 22:02:38 GMT

I'm running 4.1.10 and the cosmetic bug still exists.