AD Groups Not Showing Up

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

AD Groups Not Showing Up

I'm using User-ID and Active Directory groups to identify traffic from specific people.  The User-ID part seems to be working because Source User shows up in the logs and I can configure firewall rules using individual user-IDs. 

However, I'm having issues with the AD groups.  The Palo Alto is able to pull existing groups from Active Directory and use those groups just fine.  The problem is when I try to use newly created AD groups in any firewall rules--the newly created groups don't show up in the list of available users and groups when you click "Add" in the "Source User" field.

After getting sidetracked with another issue, when I came back some of the newly created groups showed up, but not all of them and not the ones that I changed (I changed the name of one group, and when it showed up on the Palo Alto, it had the old name).

My question(s) are:

1) Is there some kind of waiting period before the Palo Alto checks for new/changed AD groups?

2) Is there some way to force the Palo Alto to "refresh" its listing of AD groups?

Thanks in advance for the help.

Tags (2)

Accepted Solutions
Highlighted
L2 Linker

Hello,

I would like to answer your questions based on my experience.

Until version 4.1.5.x the AD groups information is being retrieved by the User Identification Agent (the pan-agent 3.1.x) running as a service on a member server.

Thus refreshing the group membership, the group names etc affects the configuration of the User Identification Agent, when clicking the "Configure" button.

There, you will see the Age-Timeout in minutes and the User membership timer, values that will affect the membership and refreshing of the groups. Also you may want to disable Group Caching. By adjusting these settings you will see different results.

In version 4.1.6 and later there was a change in User IDentification and now the new User-ID agent will be used for NTLM authentication (i.e. for Captive Portal). So the group mapping/retrieval is done by the Firewall itself (through its management interface) by also configuring the appropriate LDAP server settings. In the group mapping settings there is also an update interval (in seconds) for the group mapping process.

2) You may force the refresh of the groups by restarting the Pan Agent Service on the member server (until version 4.1.5) and by also clicking the get groups button in the Palo Alto Networks User Identification Agent UI on the member server. Also following the following procedure will definitely refresh groups: Stop PanAgentService on the member server, delete the file "C:\Program Files\Palo Alto Networks\PanAgent\group_members.txt" and then restarting the service again will refresh the groups and group membership (it will help more if you click also the "Get Groups" button from the User Identification Agent UI).

In version 4.1.6, you will need to restart the useridd process on the Active PaloAlto unit, by issuing the command "debug software restart user-id".

I hope my answer helps you.

Regards,

George G.

ENCODE S.A. - Palo Alto Networks Partner in Greece

View solution in original post


All Replies
Highlighted
L2 Linker

Hello,

I would like to answer your questions based on my experience.

Until version 4.1.5.x the AD groups information is being retrieved by the User Identification Agent (the pan-agent 3.1.x) running as a service on a member server.

Thus refreshing the group membership, the group names etc affects the configuration of the User Identification Agent, when clicking the "Configure" button.

There, you will see the Age-Timeout in minutes and the User membership timer, values that will affect the membership and refreshing of the groups. Also you may want to disable Group Caching. By adjusting these settings you will see different results.

In version 4.1.6 and later there was a change in User IDentification and now the new User-ID agent will be used for NTLM authentication (i.e. for Captive Portal). So the group mapping/retrieval is done by the Firewall itself (through its management interface) by also configuring the appropriate LDAP server settings. In the group mapping settings there is also an update interval (in seconds) for the group mapping process.

2) You may force the refresh of the groups by restarting the Pan Agent Service on the member server (until version 4.1.5) and by also clicking the get groups button in the Palo Alto Networks User Identification Agent UI on the member server. Also following the following procedure will definitely refresh groups: Stop PanAgentService on the member server, delete the file "C:\Program Files\Palo Alto Networks\PanAgent\group_members.txt" and then restarting the service again will refresh the groups and group membership (it will help more if you click also the "Get Groups" button from the User Identification Agent UI).

In version 4.1.6, you will need to restart the useridd process on the Active PaloAlto unit, by issuing the command "debug software restart user-id".

I hope my answer helps you.

Regards,

George G.

ENCODE S.A. - Palo Alto Networks Partner in Greece

View solution in original post

Highlighted
L1 Bithead

Thanks for the info.

I am currently running version 4.1.6 on my Palo Alto firewall.  I just changed the Update Interval to 60 seconds (the lowest possible value allowed) for the Group Mapping settings, so hopefully that will speed up the refresh process.

One question about the method to force a refresh:  What effect will this have on the Palo Alto and its functionality?  Will it only affect the user-ID process, or are there any other side-effects?  About how long does it take for the User-ID process to restart once the command is issued?  And finally, is there a GUI version of the command or is it only CLI?

Thanks again for the help.

Highlighted
L2 Linker

The useridd process should not take more than 20 seconds to restart. During that period User Identification may not work properly.

There is no GUI option to restart the user-id process, since this is done only in special cases.

On the other hand, since it is version 4.1.6, are you using the old (version 3.1.x) panagent installed on a member server, or are you using version 4.1 of the User-ID Agent?

Here are some updated docs for the newer agent and 4.1.x software. Please let us know if this is what you were looking for.

4.1 Agent setup:

https://live.paloaltonetworks.com/docs/DOC-2132

4.1 User-ID Upgrade Technical Note

If you are using the new User-ID please read carefully the Tech Note.

since the agent is used only for the NTLM Authentication and Identification part of the ActiveDirectory/Domain (reads logs, logon events etc) and does not retrieve groups anymore from the active directory.

Group retrieval is done through the PAN firewall via its management interface and using the configured LDAP Profile(s).

Regards,

George

Highlighted
L1 Bithead

Thanks, I'm using the User-ID Agent version 4.1.4-3.  I have both of those documents and looked through them, but didn't see anything about the group update rate.  BUT, going back again, I see there was a small section about the update rate in the Upgrade Tech Notes and I guess I completely missed it.  Oops.

Anyways, thanks for the info....especially that CLI command since I have been using the web interface, I wouldn't have known about that CLI command.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!