topic Re: User-ID Group Mapping not working in a security policy in General Topics

User-ID Group Mapping not working in a security policy

G.Grant — Thu, 06 May 2021 19:30:26 GMT

Hi,

I have searched and found similar posts but none seem to have a working solution for this...

I have a simple security policy to deny access to a VM located in the 'trust' zone if it matches a user in the user group created on the AD server.

I've confirmed with 'show user group name' that the firewall can indeed see the correct users in the group but when applying that group to the deny policy i'm not getting a hit.

any ideas?

Thanks,

Re: User-ID Group Mapping not working in a security policy

dmifsud — Thu, 06 May 2021 19:55:47 GMT

First thing is, does the user actually have an IP mapping? A group mapping alone isn't enough for this to work.

> show user ip-user-mapping all

Or check the traffic log historically for the time you tested it, does the 'src user' field have a value or not?

Re: User-ID Group Mapping not working in a security policy

G.Grant — Thu, 06 May 2021 20:52:15 GMT

Yes the user has an IP mapping.

The user is accessing via GlobalProtect VPN which drops the user into 'VPN_Zone'. There's no issues with VPN connectivity and the user can access everything in the 'trust' zone which I can confirm in the logs. Yes their username is showing under 'src user'.

I then place a rule above the 'allow all' rule I have for VPN users to access resources in the 'trust zone'.

This deny rule to block access to a specific IP address contains the users group on the AD directory. The same group that contains the user that is connected via the VPN successfully.

Re: User-ID Group Mapping not working in a security policy

dmifsud — Thu, 06 May 2021 22:54:34 GMT

It sounds like there may be a mismatch between IP and group mapping.

Please check the domain/username formats between:

> Show user Ip-user-mapping all

> Show user user-ids all

And are you overriding domain in the auth profile or group mapping settings? Is so, are they set to the same thing? If not, you may need to override one or the other.

Re: User-ID Group Mapping not working in a security policy

G.Grant — Thu, 06 May 2021 23:40:30 GMT

The output of the commands you recommended shows that the user with the IP address is indeed the same as the user in the AD group. All output is as expected. This is a lab setup so I only have one group and I can see the username is correct.

No I'm not overriding domain in auth profile or group mapping. I thought the firewall automatically detected the domain from the server profile? I've left 'User Domain' blank and 'Username Modifier' as the default '%USERINPUT%' in auth profile and group mapping.

Re: User-ID Group Mapping not working in a security policy

Mick_Ball — Fri, 07 May 2021 09:48:04 GMT

Yes their username is showing under 'src user'.

does the username begin with userdomain\

if not then you will need to add the domain name into the auth profile "User Domain".

Re: User-ID Group Mapping not working in a security policy

G.Grant — Fri, 07 May 2021 10:41:25 GMT

If I enter the domain in the auth profile 'User Domain' field then it messes up the VPN setup and the user can no longer connect.

At the moment the user authenticates to the LDAP server successfully when connecting via GlobalProtect and can access resources on the network. This tells me there is nothing wrong with reaching the AD server and authenticating the user in the user group. The user gets an IP and can access resources.

When logged in as the user via the GlobalProtect VPN I can see in the traffic log it's successfully showing the correct 'source user' as I connect to different network resources.

What I don't understand why is if I then try to create a rule blocking that user from accessing a specific IP on the network it doesn't work. I know the rule is working because if I remove the 'Source User' part of the rule I get hits and it shows the correct user in the log.

Re: User-ID Group Mapping not working in a security policy

Mick_Ball — Fri, 07 May 2021 10:49:19 GMT

ok lets go back a step.... do you actually have a rule that allows that AD group access to the network?

or is it just allowed by source zone or individual user?

Re: User-ID Group Mapping not working in a security policy

G.Grant — Fri, 07 May 2021 11:01:17 GMT

At present anyone connecting in via VPN can access the network via an 'allow any' rule from 'SSL_VPN' zone to the 'trust' zone.

I've placed a rule above that rule to deny access to one IP address on the network if the source user is in the 'hpslab\globalprotect-vpnusers' group. This group has been pulled from the AD server and contains the user that I'm logged in via the VPN to test with.

So as it stands at the moment I can still access the '192.168.50.1' IP and the deny rule isn't working.

Re: User-ID Group Mapping not working in a security policy

Mick_Ball — Fri, 07 May 2021 11:04:21 GMT

ok so the reason why the rule with the group is not working is because it is a domain group and your user auth does not contain the domain info as mentioned earlier, you need to find out why this causes an issue to your login when added.

i will test in my lab and update later today.

Re: User-ID Group Mapping not working in a security policy

G.Grant — Fri, 07 May 2021 11:05:37 GMT

Thanks for your help Mick

Re: User-ID Group Mapping not working in a security policy

dmifsud — Fri, 07 May 2021 12:55:47 GMT

If the domain format matches in IP mapping and Group mapping, then you can check the user's attributes. I would go through like this:

Does domain format(fqdn vs flat netbios) and username match under these two:

> show user group name <group dn>

> show user ip-user-mapping <all|ip x>

Do you see a mismatch with the Primary or Alt attributes (specifically domain fqdn vs netbios) compared with the previous commands?

> show user user-attributes user <>

Also check that you have a domain map shortening the fqdn to netbios:

> debug user-id dump domain-map

Re: User-ID Group Mapping not working in a security policy

Mick_Ball — Fri, 07 May 2021 15:08:38 GMT

As per @dmifsud advice, here is my output for both group and ip mapping. They both have domain prefix. Can you post your results of the same commands.

Re: User-ID Group Mapping not working in a security policy

G.Grant — Fri, 07 May 2021 16:08:01 GMT

Thanks... heres some output:

Re: User-ID Group Mapping not working in a security policy

Mick_Ball — Fri, 07 May 2021 15:51:53 GMT

Ok some good info...

the user ip mapping ggrant does not have the domain prefix so using domain groups will not work.

this will work if you add the domain to the authentication profile, this is what i do for my ipads and domain authentication works fine.

Re: User-ID Group Mapping not working in a security policy

G.Grant — Fri, 07 May 2021 16:05:06 GMT

Holy moly it worked.

I added the domain in the auth profile and left the username modifier as the default.

I tried this yesterday but changed the modifier to %USERDOMAIN%/%USERINPUT% and it didn't work.

Thanks all for your help on this.

Re: User-ID Group Mapping not working in a security policy

alvaroarcaz — Thu, 14 Jul 2022 17:21:50 GMT

Let me know if there is a way to remove the domain name from the group mapping

In my case:

show user group name emea.com\test

short name: emea.com\test

source type: ldap
source: test

[1 ] emea.com\test1
[2 ] emea.com\test2
[3 ] emea.com\test3

i only need from the group mapping the name "test1 or "test2" or "test3"

The reason why is because i get from external source on palo alto the user id test1 or "test2" or "test3"

The goal is create a policy rule base on the source user that is being part of a domain group

i expend hours and there is no way to understand or found the reason why palo alto get from ldap group mapping "domain name + name"

Re: User-ID Group Mapping not working in a security policy

alvaroarcaz — Thu, 14 Jul 2022 17:26:00 GMT

Please could you detail this a bit? I had a similar situation and not follow what is your solution even on the original post!

Thanks!

Re: User-ID Group Mapping not working in a security policy

JScottNaviH — Thu, 20 Apr 2023 17:00:32 GMT

I'm experiencing a similar situation where using the internal USER-ID agent and mapping to three (3) server monitor domain controllers. Recently a user was denied access, and when searching the monitor traffic I noticed the there was no user mapping associated with the traffic. However, when I search the monitor>User ID, it shows that the firewall new of a user-mapping between I and user during that specific time.

note: When looking at monitor > User ID, I do notice that of the 3 server monitor, the user mapping only sources from 2 of the 3 domain controllers.

If anyone can provide some insight, this would be helpful. Thanks.