TIP: LDAP Group Mappings in a mixed 6.x and 7.x environment with Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

TIP: LDAP Group Mappings in a mixed 6.x and 7.x environment with Panorama

L4 Transporter

All,

 

I thought I would share a quick tip for those people that may be considering upgrading from 6.x to 7.x in an environment where you are using Panorama.

 

In PAN-OS 7.x, the information of your Active Directory domain has been moved from the LDAP settings to the Group Mapping Settings. As the first step in upgrading to 7.x is upgrading your Panorama server, you will immediately notice that this field is no longer available in the template.

 

Panorama Template.png


This setting has been moved to Group Mappings:

 

Group Mapping.png

 

If you push this template to any devices that are running PAN-OS 6.x, the domain field in the LDAP settings will become empty which can cause your users in groups to return the wrong mapping without the domain.  In our case, it caused the following to happen:

 

User-ID

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------

X.X.X.X     vsys1  UIA     <domain>\mlinsemier                40             40

 

Group Mapping:

 

short name: <domain>\pan-downloads-it

source type: proxy
source: Group Mapping - Domain

 

[1 ] \mlinsemier
[2 ] \jsmith
[3 ] \jdoe

 

You will notice that the user names in the Group Mapping are missing the domain portion.  This causes any rules that you have setup based on groups not to map correctly.

 

To fix the issue, you must push your template and then create a local override on each PAN-OS 6.x firewall for each LDAP group and enter your domain.

 

Firewall Domain.png

 

One thing also to note is that when you upgrade a firewall to PAN-OS 7.x, Panorama may still show that your Templates  for that devife a re still '"in Sync" after the upgrade.  We didn't re-push the templates after the upgrade to our PAN-OS 7.x firewalls, which meant that the domain field in Group Mapping was blank and caused the same issues.  Once we pushed them, the information was populated from the template and all was fixed.

 

I thought I would share this just in case others are in a similar boat as we were.  YMMV.

 

-Matt

2 REPLIES 2

L4 Transporter

This is very useful feedback from the field. Thank you !!!

 

I am actually curious : did you create a TAC case ? IMO it should be highlighted as a bug , a mechanism should be in place to support PANOS 6.0<

This actually surfaced as two different TAC cases, Panorama 7.x with PAN-OS 6.x clients and PAN-OS 7.x Group Mappings not working.  We had both of them open at the same time (was waiting for more troubleshooting for the initial case), when through troubleshooting myself it dawned on me what was happening.

 

I did ask TAC to forward this to engineering and also sent this up to my Palo Alto SE to ask him to create a bug for this.  In a mixed environment, Panorama will need to know the PAN-OS to determine now to configure LDAP and Group Mapping, which right now I don't know if this is possible.

 

Anyways, glad it was helpful.  I love the Palo Alto product and figured if I can give back to the community to save at least one other engineer hours of troubleshooting, it's a good thing.

 

-Matt

  • 4371 Views
  • 2 replies
  • 4 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!