Not able to configure user/user groups under Global Protect Gateway under Panorama, same is possible

L1 Bithead

Not able to configure user/user groups under Global Protect Gateway under Panorama, same is possible

We have configured Global Protect VPN. We are trying to configure specific user/user groups under Global Protect Gateway in AGENT config on Panorama server. Unfortunately, we are not able to see any user ids/user groups under drop down list. But we can see list locally on firewall.

Need your help.

L6 Presenter

Re: Not able to configure user/user groups under Global Protect Gateway under Panorama, same is poss

is the user list visible on the actual firewall itself..

 

does the userlist auto populate when you start typng on Panorama

L1 Bithead

Re: Not able to configure user/user groups under Global Protect Gateway under Panorama, same is poss

1. Yes, user IDs/Groups are visible on gateway but not on panaroma.

 

2. yes, userlist auto populate when you start typng on Panorama.

L6 Presenter

Re: Not able to configure user/user groups under Global Protect Gateway under Panorama, same is poss

yes i think this is a little confusing.

 

the user list doust display on the local firewall but only if those users have been included or used.

 

try creating a new \agent\config on the firewall and see what happens when you try to add users. it only shows the groups, not members. Panorama acts in the same way.

L2 Linker

Re: Not able to configure user/user groups under Global Protect Gateway under Panorama, same is poss

Hello KPITNOC,

 

This is one thing that I've always found a little bit hoakey on Palo Alto when using Panorama to manage things.  The user-id and group mapping process happens on the local firewall, but on Panorama, its not necessarily the same.  If you're configuring a User-Group mapping on the local firewall, Panorama in the past would not see this.  I always had to copy the groupname that shows up on the local firewall and push that setting through Panorama, or use the LDAP long name notation to push this from Panorama.  It looks like this may have changed:

 

https://live.paloaltonetworks.com/t5/Management-Articles/Active-Directory-Groups-in-Panorama-Rules/t...

 

In the above article it says they fixed this, and the group mappings should be pulled from the master device.  Do you have a master device setup for that device-group?  If not, try setting the device that has the group mappings on it and then see if it populates.  

 

Let me know what you find there.

 

 

Thanks

L2 Linker

Re: Not able to configure user/user groups under Global Protect Gateway under Panorama, same is poss

I forgot to mention, you will probably need to commit the Panorama configuration after setting a master device before anything will populate.

L1 Bithead

Re: Not able to configure user/user groups under Global Protect Gateway under Panorama, same is poss

Hi, Thanks for your mail.

 

We have configured Master device on Panorama. Also, we are able to configure/select user ids/groups while configuring security policies on same Panorama server.

 

We are not able to see  users list/groups under Global Protect Gateway in AGENT tab. Same is visible locally on firewall.

L5 Sessionator

Re: Not able to configure user/user groups under Global Protect Gateway under Panorama, same is poss

Hi @KPITNOC

 

What version is your Panorama on? The User-ID process running on Panorama was only implemented in PAN-OS 8.0 and above.

 

Thanks,

Luke.

L1 Bithead

Re: Not able to configure user/user groups under Global Protect Gateway under Panorama, same is poss

Hi,

 

Thanks for your reply.

 

It is currently expected design of Panorama to not show user-group/user ids information in Templates even when we have configured Master device under device group.

 

We are raising Feature Request with Palo Alto team for the same. We will share number asap. Please give your vote for it.

 

Thanks again!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!