topic Re: User id connected but users name not showing in the security policy in General Topics

User id connected but users name not showing in the security policy

VishnuPS — Mon, 06 Sep 2021 07:35:49 GMT

Dear Team,

I have integrated AD to my PA NGFW. User id is showing connected but when I create any user based policy there is no users.

I have tried cleared user is cache, refresh etc. But still same.

Please find the below SS for reference

useridd.log
2021-09-06 11:33:32
2021-09-06 11:33:32.523 +0530 connecting to ldap://[10.1.2.102]:389 ...
useridd.log
2021-09-06 11:33:32
2021-09-06 11:33:32.584 +0530 ldap cfg BLR_AD connected to 10.1.2.102:389(index 0)
useridd.log
2021-09-06 11:33:35
2021-09-06 11:33:35.123 +0530 pan_ha_is_sync_needed: needed=0, is_peer_up=0, state=0, peer_state=0
useridd.log
2021-09-06 11:33:35
2021-09-06 11:33:35.230 +0530 /opt/pancfg/cache/pan/VSYS_USER.db saved to disk, digest: 5153bfd3957d20d95f72742fd4c88034
useridd.log
2021-09-06 11:33:35
2021-09-06 11:33:35.633 +0530 Building userinfo.xml takes 0s
useridd.log
2021-09-06 11:33:36
2021-09-06 11:33:36.921 +0530 Error: pan_ldap_ctrl_search_device(pan_ldap_ctrl.c:1889): user_id database is not bound yet

Please help me to resolve this issue.

Re: User id connected but users name not showing in the security policy

PavelK — Mon, 06 Sep 2021 08:15:26 GMT

Thank you for posting message @VishnuPS

If I understand it correctly, you are not able to select source user while creating a new policy? Have you configured Group Mapping Setting? Here is a reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFQCA0 If yes, could you navigate to: Device > User Authentication > Group Mapping Settings > (Name) > Group Include List > Available Group, then type AD Group or User and try to search it by pressing Apply Filter button. If LDAP integration works well, the AD Group or User will appear in the list. All the AD Groups / Users that are available here, should be also selectable in new policy under source user.

Kind Regards

Pavel

Re: User id connected but users name not showing in the security policy

VishnuPS — Mon, 06 Sep 2021 09:52:37 GMT

Hi Pavel,

We verified the configurations it's good only.

I forgot you telling one thing, actually, I configured the user-id configuration from the panorama. I need to enable anything in the panorama.

Re: User id connected but users name not showing in the security policy

PavelK — Mon, 06 Sep 2021 13:05:35 GMT

Thank you for reply @VishnuPS

I see. When it comes to Panorama and pushing user information, there is one difference compared to configuring it locally on Firewall. The format of AD information has to be in Distinguished Name (DN). Here is the KB for reference (Please go to point No.5): https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIOCA0

After you configure it in this format, and push it to managed Firewall, the user information should be available in security policy.

Alternative solution would be to enable one Firewall that already has all information as a Master Device in the Device Group. Here is a KB for reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG

I have tested both of the solutions and both were functional.

Thank you and Regards

Pavel