This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Access problems via Globalprotect with AD group.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Access problems via Globalprotect with AD group.

Amaro123
L2 Linker

‎02-17-2021 06:28 AM

Hello everyone,

I am relatively new to Palo Alto solutions and I face a problem that has been going on for over a week. Could anyone help me?

 

This is the scenario:
- I have gateways 01 and 02 for the GlobalProtect.
- AD groups called Grupo1 and Grupo2.
- Test user named Fred.

 

When user Fred is in Group1 he has normal access to the environment through the two gateways.
When that same user is in Group2 he has normal access only through gateways 01. If you use 02 he does not access anything.

I reviewed the LDAP settings but did not find any unique references to the groups I have.

What can I not be seeing?

 

0 Likes Likes
12 REPLIES 12

MickBall
L7 Applicator

‎02-17-2021 08:55 AM - edited ‎02-17-2021 08:58 AM

the group settings can be found in Device\User Identification\Group Mapping\Group include

 

 

and try the following...

on both gateways enter via cli...

 

show user group list

 

and compare to ensure you are checking the same groups.

 

then on both gateways enter..

 

show user group name  " enter group name from above here"

 

do this for both groups and check to see all members are displayed for both gateways,

Amaro123
L2 Linker
In response to MickBall

‎02-17-2021 10:08 AM

What do you mean "on both gateways enter via cli ..."? I must have explained it wrong, the GP gateways are related to internet links. I can access the VPN via the IP of one provider or the IP of another provider.

 

The command "show user group list" showed me that the list is very long, but I can identify the DN using "show user group list | match <group_name>".


However when I use the command "show user group name <group_name>" the result is always the same regardless of the group you are querying: User group 'group_name' does not exist or does not have members

0 Likes Likes

Amaro123
L2 Linker
In response to Amaro123

‎02-17-2021 10:16 AM

Capture.PNG

MickBall
L7 Applicator
In response to Amaro123

‎02-18-2021 12:21 AM

you have not used the "Included Groups" option.

This will force the firewall to collect all information for every group within your AD.

The firewall has limits on how many groups it can access and although this may not be the issue here I would still only include the required groups that you actually need to interrogate. this will also help with future diagnostics when using multiple groups.

 

This will also allow you to use "show user group name"  and return valid entries.

 

snippet from PA

 

MickBall_0-1613636445260.png

 

MickBall
L7 Applicator
In response to Amaro123

‎02-18-2021 12:22 AM - edited ‎02-18-2021 12:28 AM

OK just re-read your reply, are both of these gateways on the same firewall?

 

If so then it should be OK as we have a similar setup of multi gateways on same firewall.

 

are both gateways using the same policy, or do you have a policy for each zone?

 

 

 

 

0 Likes Likes

Amaro123
L2 Linker
In response to MickBall

‎02-18-2021 11:47 AM

Thanks for the tip with "Included Groups". It can be an interesting point for improvements and I will study the possibility of adjusting it!

 

Yes, both are on the same firewall and using the same policy.

Even with the user having problems, I see the communication attempt, but the log is presented as the "incomplete" status.

 

Capture.PNG

0 Likes Likes

MickBall
L7 Applicator
In response to Amaro123

‎02-19-2021 01:26 AM - edited ‎02-19-2021 01:35 AM

@Amaro123  is the communication attempt you are seeing allowed or denied?   I would imagine that it's allowed or the sate would be not-applicable.  it may help if you paste log snippet.

0 Likes Likes

Amaro123
L2 Linker
In response to MickBall

‎02-19-2021 10:37 AM

Hello @MickBall,

 

They are allowed, but in Application the status is "incomplete".

 

rule.PNG

 

I used the command "show users user-ids match-user <user.name>" for the user who has been doing the tests and he recognizes the group I mention here in the example that presents the problem. In this case it is the third in the print list.

show user user-ids.PNG

 

 
0 Likes Likes

Astardzhiev
Cyber Elite
Cyber Elite

‎02-22-2021 12:44 AM

Hi @Amaro123 ,

 

"When user Fred is in Group1 he has normal access to the environment through the two gateways.
When that same user is in Group2 he has normal access only through gateways 01. If you use 02 he does not access anything."

 

Having the above in mind and the logs you provide it looks to be like routing problem.

I am assuming that the two gateways are assigning different IP pools to the connected users, but do they assign different range based on the user group?

 

I can imagine that gateway01 and 02 are assinging differen IP addresses based on the group membership. So when user is assigned to Group2 and connects to gateway02 he is assigned with ip address that your internal network doesn't route properly. If you look at the log details (the magnifying glass on the very left of your log entry you sent earlier) you will probably see that traffic is only in one direction - packets/bytes received will be zero. Or if you have internal firewall that is blocking the range assigned to users in group2 connected to gateway2.

 

In short - check what IP range is assigned when connected any gateway with any group and check if your internal network handle these ip ranges the same way.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2022 - Palo Alto Networks