topic Re: Rules not applying to AD groups in General Topics

Rules not applying to AD groups

slawek.kunach — Wed, 01 Aug 2012 08:57:58 GMT

Hi,

For some reason my Palo Alto 2020 has stopped recognizing rules that are applied to AD user groups. My 2 User ID agents are running on the Domain controllers and are showing green on my Palo Alto box.

It works if I apply the rule to a specific AD user, so I know it is able to communicate with the ID agent otherwise it wouldn't register the user as logged on. It also lets me add the AD user group to a rule so it must be discovering the groups somehow. But when it comes to the web browsing rule, in this example, it doesn't apply the rule that is set for a user group.

The only thing different was that I moved a server into a different ip range last night and changed the necessary security and NAT rules. Although the network range that is being affected I didn't touch at all and didn't make any changes to point to or away from that range either, or the range it points to.

Any ideas? Is there anything I can look at on the ID agent to see why it would not be applying rules to AD groups?

Re: Rules not applying to AD groups

sdurga — Wed, 01 Aug 2012 16:13:47 GMT

Since the security rules work when you apply individual user to the security policy and not the AD groups, it means that your user-ip mapping (done by user-id agent) is working correctly but not the user-group mapping. Did you make any changes to your LDAP settings ? Can you please check if the user is being associated with the groups properly using the command "show user group name <value>" . Make sure that the user is present in the AD group.

Which version of the user-id agent are using ? I am assuming you are using agent version 4.1.X in which user-ip mapping is done by the user-id agent and user-group mapping is done by the firewall (Device -> User Identification -> Group Mapping Settings). So you might want to double check these setting on the firewall.

Tx,

Sandeep T

Re: Rules not applying to AD groups

rmgnetwork — Thu, 02 Aug 2012 18:07:19 GMT

I ran into the same issue and found the problem was not with the userID agent, that's mapping things correctly as you mentioned, but with the bind point I had set within the LDAP server profiles on the PAN itself.

Device -> Server Profiles -> LDAP

I had the bind point set too low in the LDAP tree to enumerate userID's but high enough that it knew about the groups.

What I was seeing - I could apply policies to groups but users within those groups would not get the policy.

When I checked to see what users belonged to what groups (through CLI) I was not seeing any users as members of any groups.

Once I changed my LDAP bind point to be above both the group AND user OU's then PAN was able to map users to the proper groups and policies applied to groups started working fine.

YMMV, just something I ran into so maybe it helps. 😃

Re: Rules not applying to AD groups

mindterra — Fri, 10 Aug 2012 05:07:36 GMT

Hi rmgnetwork,

do you have an example ? I have run into this problem the same.

Re: Rules not applying to AD groups

slawek.kunach — Fri, 10 Aug 2012 07:19:24 GMT

Setting the LDAP server profile and then the group mappings seems to have solved my problem.

Thanks everyone.

Re: Rules not applying to AD groups

mindterra — Fri, 10 Aug 2012 07:27:10 GMT

do you have any command on palo alto to check whether the user is in which group ?

i'm already set LDAP Server Profile and Group mapping but it doesn't work.

Re: Rules not applying to AD groups

slawek.kunach — Fri, 10 Aug 2012 07:45:00 GMT

One thing that I have noticed different on your configuration is that the Bind DN in the LDAP server profile. I put it in the format domain\administrator and then put in the admin password below it. Not sure if it would work for you but worth a shot.

I think there was a command you can use to check user groups, but I can't remember off the top of my head. I will see if I can dig it up for you.

Re: Rules not applying to AD groups

panwmod — Fri, 10 Aug 2012 15:15:26 GMT

This command show the groups a given user belongs to:

show user user-IDs match-user palo\test-user

The following command shows the members of a given AD group:

show user group name "cn=domain users,cn=users,dc=palo,dc=local"

The 'group short name' works as well

show user group name "palo\domain users"

Re: Rules not applying to AD groups

mindterra — Fri, 10 Aug 2012 15:29:29 GMT

It work fine now after I change domain in LDAP Server Profile to have no .com

Thank all