This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Unable to assign Security Policy to Users or Groups

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Unable to assign Security Policy to Users or Groups

MRosloniec
L3 Networker

‎05-23-2013 10:33 AM

Hi -

We are using User-ID Agents to create user-to-IP mappings and I've got group mapping configured on the firewall itself and I can browse through my ldap groups.  However, when I go to Policies > Security Policy I am unable to select either individual users OR groups to assign the policy to... Nothing populates.  Am I missing something somewhere?  Seems like it would be straight forward after configuring group mapping.  Thanks!

0 Likes Likes
19 REPLIES 19

panos
L6 Presenter
In response to MRosloniec

‎05-23-2013 12:13 PM

you can use

show shared server-profile ldap

in configure mode.

0 Likes Likes

MRosloniec
L3 Networker
In response to MRosloniec

‎05-23-2013 12:19 PM

admin@Ada-PAN-M100(primary-active)# show template "US Lab" config shared server-profile ldap LDAP-Group-Mapping

LDAP-Group-Mapping {

  server {

    ldap-adam-apps.intranet.local {

      port 389;

      address ldap-adam-apps.intranet.local;

    }

  }

  ldap-type active-directory;

  timelimit 30;

  bind-timelimit 30;

  ssl no;

  domain na;

  base ou=groups,o=alticor;

  bind-dn cn=ldap-alt-paloalto,ou=users,o=alticor;

  bind-password -AQ==ZtJUGAV/ZcKHS4UkVNe1zXA0x2s=uvilr+9UMZiJgEAXcnLCXA==;

}

0 Likes Likes

gwesson
L7 Applicator
In response to MRosloniec

‎05-23-2013 05:12 PM

The M-100 (and Panorama in general) will not populate users or groups when creating rules until a rule has been created with that user/group at least once. The reason for this is because of the huge amount of load it would take if you had several hundred firewalls, each with different domains configured with a single Panorama (imagine how long it would take to query each firewall, which would query each domain, and return the full group and user list).

If you create the policy local to the firewall, the group will indeed prepopulate because the scope is limited to that one firewall's set of user and group data.

Once you create a policy which has a user- or group-name on Panorama, that user/group will be available for future rules. Note that there is no integrity check, so a mistake will be allowed through and simply fail to match. I recommend copying the user data from an LDAP browser so you don't have to worry about the syntax.

Hope this helps,

Greg Wesson

0 Likes Likes

mschuricht
L4 Transporter
In response to gwesson

‎05-23-2013 05:21 PM

This sound like a bug...

Was the master device selected in the Device Group configuration?

User-ID groups should be pulled from the Master Device for selection in Policy and will also be queried upon search to pull individual users as well.

Screen Shot 2013-05-23 at 5.19.13 PM.png

0 Likes Likes

MRosloniec
L3 Networker
In response to mschuricht

‎06-04-2013 10:47 AM

Yes there is a master device set.  We went ahead and opened a case on this issue.

0 Likes Likes
  • 5832 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks