09-05-2012 04:23 PM
I have three active directory servers configured within the LDAP settings of my Palo Alto. I have tried using both 389 and the GC port of 3268 as per this doc: https://live.paloaltonetworks.com/docs/DOC-3120
I have two 2050's in an active/passive pair. I have AD IP agents on each DC and the PAs are set to query them.
The problem is that while I can see the users in my traffic logs, they are getting the wrong security policies applied to them. The user to IP is working, it is the user to LDAP group which is not. I am not using the user agents as LDAP group membership proxies.
If I do show user user-IDs | match joe I may get back the proper group, but I may only get back one of three groups the user is a member of. I'm talking about 1 of 3 groups I've defined to the Palo Alto, not all Active Directory groups. The results are very random. If I run the same command on the second PA in the pair, I will often see different results.
I have ran the command show user group-mapping state all and while I did have some nested groups, I do not anymore. Because I cannot negate user groups in a security policy, I have user groups which contain 1500+ users. I have the maximum timeout value set to 30 seconds, which is the max I can set it to in 4.1.7. Per the state all command, it is taking no more than 5 seconds to enumerate these groups.
Can anyone please shed some light on what's going on, and how to fix this?
09-06-2012 02:51 PM
I opened a case which got escalated.
Issue #1) Under Group Mapping Settings, I had a seperate mapping for each active directory group I wanted to use on my PA 2050. I have a single forest/AD. Support recommended having a single group mapping setting which included all of my active directory groups that I wanted to use within my Palo Alto rules.
Issue #2) Under Server Profiles / LDAP we modified the settings to use port 389 instead of the GC port 3268. We modified the Bind DN from user@domain.com to CN=user,OU=grouping,OU=container,DC=domain,DC=com (That's not my actual user or domain.) Support states this works better.
Issue #3) The command show user user-IDs | match joe is not showing all of joe's group membership as this is filtering out lines with joe. The group membership list includes lines that do not have joe in the line. So I was using the command incorrectly. The proper command is show user user-IDs match-user joe
Considering I didn't have the LDAP instability for a few weeks, and then it poped up it's ugly head, only time will tell for certain if these are the fixes.
09-06-2012 02:51 PM
I opened a case which got escalated.
Issue #1) Under Group Mapping Settings, I had a seperate mapping for each active directory group I wanted to use on my PA 2050. I have a single forest/AD. Support recommended having a single group mapping setting which included all of my active directory groups that I wanted to use within my Palo Alto rules.
Issue #2) Under Server Profiles / LDAP we modified the settings to use port 389 instead of the GC port 3268. We modified the Bind DN from user@domain.com to CN=user,OU=grouping,OU=container,DC=domain,DC=com (That's not my actual user or domain.) Support states this works better.
Issue #3) The command show user user-IDs | match joe is not showing all of joe's group membership as this is filtering out lines with joe. The group membership list includes lines that do not have joe in the line. So I was using the command incorrectly. The proper command is show user user-IDs match-user joe
Considering I didn't have the LDAP instability for a few weeks, and then it poped up it's ugly head, only time will tell for certain if these are the fixes.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
