LDAP Group Mappings in a Mixed 6.x and 7.x Environment with Panorama

LDAP Group Mappings in a Mixed 6.x and 7.x Environment with Panorama

0
Created On 09/25/18 18:59 PM - Last Modified 07/19/22 23:09 PM


Resolution


User mlinsemier provides some insight for our mid-week discussion on LDAP group mappings using Panorama in a mixed PAN-OS enviornment.

 

 

 

I'd like to share a quick tip for people who may be considering upgrading from 6.x to 7.x in an environment using Panorama.

 

In PAN-OS 7.x, the information of your Active Directory domain has been moved from the LDAP settings to the Group Mapping Settings. As the first step in upgrading to 7.x is upgrading your Panorama server, you'll immediately notice the absence of this field in the template.

 

Panorama Template.png


Instead, the setting now appears under Group Mapping:

 

Group Mapping.png

 

If you push this template to any devices running PAN-OS 6.x, the domain field in the LDAP settings becomes empty, which can cause users in groups to return incorrect mapping without the domain.  In our case, it caused the following to happen:

 

User-ID

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------

X.X.X.X     vsys1  UIA     <domain>\mlinsemier                40             40

 

Group Mapping:

 

short name: <domain>\pan-downloads-it

source type: proxy
source: Group Mapping - Domain

 

[1 ] \mlinsemier
[2 ] \jsmith
[3 ] \jdoe

 

You'll notice that user names in the Group Mapping are missing domain information, causing any rules set up based on groups to map incorrectly.

 

To fix the problem with mapping, first push your template, then create a local override on each PAN-OS 6.x firewall for each LDAP group and enter your domain.

 

Firewall Domain.png

 

When upgrading a firewall to PAN-OS 7.x, Panorama may show templates for that device are still 'in sync' after the upgrade.  We didn't repush the templates after the upgrade to our PAN-OS 7.x firewalls, which meant that the domain field in Group Mapping was blank and caused the same issues.  After pushing the templates, the information was populated from the template and all was fixed.

 

Wanted to share in case others are experiencing the same issues.

 

-Matt

 

 

Access the original discussion here: TIP: LDAP Group Mappings in a mixed 6.x and 7.x environment with Panorama

 

 

Hope you enjoyed reading. Please feel free to comment.

 

Tom Piens

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSECA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail