Traffic Not Matching Policies Configured with Active Directory Groups

Traffic Not Matching Policies Configured with Active Directory Groups

24141
Created On 09/26/18 13:55 PM - Last Modified 05/31/23 20:44 PM


Resolution


Issue

Traffic is not matching the security policy even though the user identified for the traffic is a member of the Active Directory (AD) user groups defined in the policy.

 

Details

During configuration, the group name was manually typed into the security policy instead of selecting from the available list. The same format as the entries in the dropdown list was applied. However, the UI shows the user icon instead of the group icon:
Capture6.PNG

When a group entry is manually entered, the distinguished name is not resolved and the entry is saved as it was entered. The image below is an excerpt from the output of # show rulebase security rules <name>, where <name> is the name of the rule:
Capture1.PNG

 

Resolution

To resolve the issue:

  1. 1. Verify that the group exists and check the membership associations for the user:
    > debug device-server dump user-group name “pantac\group56”
  2. Select the desired group from the drop down list in the security policy.
  3. Make sure the group icon is displayed next to source user column for the group:
    Capture4.PNG
  4. Check configuration for source-user:
    Capture2.PNG
     

owner: knarra1
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm2DCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language