Traffic Not Matching Policies Configured with Active Directory Groups
24141
Created On 09/26/18 13:55 PM - Last Modified 05/31/23 20:44 PM
Resolution
Issue
Traffic is not matching the security policy even though the user identified for the traffic is a member of the Active Directory (AD) user groups defined in the policy.
Details
During configuration, the group name was manually typed into the security policy instead of selecting from the available list. The same format as the entries in the dropdown list was applied. However, the UI shows the user icon instead of the group icon:
When a group entry is manually entered, the distinguished name is not resolved and the entry is saved as it was entered. The image below is an excerpt from the output of # show rulebase security rules <name>, where <name> is the name of the rule:
Resolution
To resolve the issue:
- 1. Verify that the group exists and check the membership associations for the user:
> debug device-server dump user-group name “pantac\group56” - Select the desired group from the drop down list in the security policy.
- Make sure the group icon is displayed next to source user column for the group:
- Check configuration for source-user:
owner: knarra1