DotW: User-ID Group Mapping
Resolution
Group mapping inside of User-ID is a great feature that many customers use in order to gain the ability to use groups inside of the security policies instead of individual users accounts. The User-ID function is able to accomplish this by communicating to a Microsoft Active Directory server
or eDirectory server using LDAP (default port 389).
User-ID can be used one of two ways:
- Agent - an Agent software that has to run on a Windows server that communicates with the Directory server.
- Agentless - the firewall communicates directly with the Directory server.
This can be a simple configuration, but often things arise that can cause issues. By default, you use the Management IP address to communicate with the Directory server. By using the Management IP, no additional security rules are needed. If you do not wish to use the Management IP, but instead wish to use another interface, then the "Service Routes" would need to be changed.
This can be configured inside of the WebGUI > Device > Setup > Services tab and click on "Service Route Configuration" under "Services Features".
For more information on Service Route configuration, reference the following Admin Guides for more information:
- PAN-OS Administrator's Guide 5.0 (English)
- PAN-OS Administrator's Guide 6.0 (English)
- PAN-OS Administrator's Guide 7.0
In the discussion of the week, user 'Satish' is using Agentless User-ID and was getting an "Internal error" when trying to communicate with his Microsoft Active Directory server, as the firewall was not able to talk with the Directory server.
The root of the issue was that his Service Routes were not properly configured and he was using the wrong password for the account needed to access the Microsoft Active Directory server.
To view the full discussion, reference the following link: Group Mapping Issue Discussion
If you have any questions, comments or feedback, please leave them below.
Thanks for reading,
Joe Delio