Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

AD Groups in Firewall Policy - Inconsistent Behaviour

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

AD Groups in Firewall Policy - Inconsistent Behaviour

L4 Transporter

I have two issues with managing firewall policies when using AD groups; running 4.1.7 - so am using the 'on-hardware' group retrieval rather than the PAN Agent.

1) When adding new groups to be mapped they do not appear in the GUI i.e. cannot be selected for a policy from the 'drop down' selector.  This will usually fix itself after a random amount of time - hours or days (and this occurs even when, using the command line interface, I have confirmed that the group is being populated and tracked by the firewall using the show users groups name command etc).

2) The Palo policy UI seems to randomly display the groups (and users) in either AD format or X500(?) format i.e. sometimes it uses acme\auser and othertimes it uses cn=auser, ou=users, o=acme


This occurs both on the PA firewalls and our Panorama install.

It's annoying more than anything, as we can usually work our way round the issue, but understanding why it doesn't behave consistently would be a bonus!

Rgds

4 REPLIES 4

L0 Member

I've the same trouble with PANOS version 4.1.9.

Rgds

I've just got a little further forward.

My PA's are in HA pairs and it looks as if maybe only the active device will update the GUI etc to make the new groups visible.

As (in the scenario I have at the moment) the passive PA is the one set as the master device for that group in Panorama, it looks as if Panorama won't make it available in the policy section either.  I have just switched the master device to the currently active PA and now I can select the newly mapped group in the Panorama policy, and push to the HA pair.

Not sure if the policy will work properly on the (currently) passive box if it is promoted to live though....

Or - it was just luck that the GUI decided to update at the time I was testing that scenario!

I've not seen the new group mapping issue before but suspect that the config push from Panorama may also replicate the change to the other node (including the new group) although you may want to log a call with support to confirm correct functionality but also so that they can keep track of this.

The user issue (acme\auser vs cn=auser) described is something that will be addressed in 4.1.9 - this was identified as a cosmetic issue and does not impact functionality. For clarity, 4.1.8 is the latest code and was released mid September.

I'm running 4.1.10 and the cosmetic bug still exists.

  • 2934 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!