In our IT infrastructure we have to use UPN names for user authentication. One reason is to have more than 20 characters for user names in comparison to the SAMaccountName.
Our function-level of Active Directory is Server 2012-R2. On then PA3020 we use Firmware V6.02.
We create a user group mapping (User identification/Group Mapping Settings) on PaloAlto firewall, based on "userPricipalName", described in the manuals of PA.
Our biggest problem is the removal of the UPN suffix in User-Group-Mapping.
Here an example: user "email@example.com" becomes "max.mayer". The DNS suffix is inexplicably cut off.
The user access is via Global Protect Gateway and UPN to the LAN. On this way the IP to user mapping is o.k.
Since we now work in the Palo Alto in the security policy rules only with the group from the Active Directory, they are without function.
Thus we are not able to control the traffic on the basis of AD groups..
Thank you in advance
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!