User ID in Expedition Does not Work

ShawnSlater · ‎04-30-2021

So it appears that UserID requires something more to apply to multiple rules. I see conversations from 2019 posts that have no real answers. I need to apply a UserID group pulled via LDAP across 5000 rules. Expedition shows the full LDAP name that I added to a rule in Panorama which is fine but I can do nothing with that information. I cannot copy, paste, edit this at all. This appears broken. Is there an API requirement or a direct device link that needs to happen?

azuniga · ‎04-30-2021

Hello @ShawnSlater

If I am not mistaken within the firewall you can enable userID at the zone level which should accomplish what you need done?

ShawnSlater · ‎04-30-2021

No, maybe I didn't correctly state it. I am talking about Source User in Security Policies. That is pulled via Group Mapping which relies on a LDAP server profile. In Expedition it shows the full LDAP bind for the group I want. I can do nothing with that in Expedition. I cannot change it and I cannot apply that entry to additional rules

ShawnSlater · ‎04-30-2021

When you are in Expedition and have imported Panorama configuration, under Objects there is a section for Users. In there a Users via API and a User Groups via API. Neither of these are actually part of a regular Panorama configuration from what I can tell. This may be what I need but I don't know that there's anything explaining this.

azuniga · ‎04-30-2021

Hello ShawnSlater,

Generally those UserID groups are created once you have tied the panorama device into LDAP so it can pull in those UserID groups from what you have created, I would not recommend migrating this from within expedition itself. Although yes the field does exist it would make more sense to make these changes from within Panorama to isolate East-West traffic based off of UserID.

ShawnSlater · ‎04-30-2021

So I will make 15,000 clicks as each rule requires 3 clicks to add that in Panorama. That's why Expedition exists, to avoid that correct? What is the purpose of the User section under Objects in Expedition around the API?

azuniga · ‎04-30-2021

Hello @ShawnSlater

Sorry maybe I was not clear, I am saying that those UserID groups should be first created on the firewall then imported into Expedition. Now from within expedition once you have imported them in you can simply multi-edit the policies to incorporate them into your policies, but I would not attempt to create these UserID modifications from within expedition since they are not tied back to LDAP and able to pull down that type of information. Once this is done yes you should be able to push those changes via API.

ShawnSlater · ‎04-30-2021

But you cannot do that in Expedition. If you have a User/User Group in a rule you cannot select it in any other rule. The Multi-edit does not work.

azuniga · ‎04-30-2021

Hello @ShawnSlater

So you do not see what I show below in the screenshot? What version of expedition are you using?

ShawnSlater · ‎04-30-2021

Yes, I see that but you cannot select any of the existing groups or users from your rules in that dropdown. You also cannot manually add a user or group. So for rules that I have already selected the user or group from Group mapping in Panorama, it shows the full LDAP bind but you can't edit/change or copy to another rule.

Network Security

Cloud Security

Security Operations

User ID in Expedition Does not Work

User ID in Expedition Does not Work

Show your appreciation!