This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

AD Groups not working in Policies

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

AD Groups not working in Policies

GWynn
L3 Networker

‎09-14-2023 11:00 PM

Hello all, this sounds very similar to a previous post I found on here but I could not see a resolution. Very basic. I am trying to block or allow a domain user from the internet, from LAN zone to WAN zone. This will not work if I have domain\user in the Source User Field. I can see a user when I run:

admin@GeoffFirewall> show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------------------- ------- -------------------------------- -------------- -------------
172.60.1.1 vsys1 Unknown unknown 1 4
172.60.1.4 vsys1 Unknown unknown 3 6
172.60.1.3 vsys1 AD xsoar\geoff.jones 2334 2334
Total: 3 users

GWynn_0-1694757547028.png

If I change the source to ALL then it of course works, either blocking or allowed. Thoughts??

 

 

Preview file
42 KB
0 Likes Likes
20 REPLIES 20

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎09-15-2023 12:42 AM

Hi @GWynn ,

Please check the following discussion - https://live.paloaltonetworks.com/t5/next-generation-firewall/gp-amp-saml-wrong-domain-for-group-map...

 

Can you please provide output of the commands I have shared in my last post in the above discussion?

Also can you share little more background of your setup
- What are you using for AD? On-Prem AD or Azure AD? Are you using LDAP for group mapping?

- What are you using for user-id information? Server Monitor, User-ID agent or GlobalProtect client?

 

 

0 Likes Likes

GWynn
L3 Networker
In response to aleksandar.astardzhiev

‎09-15-2023 02:47 AM - edited ‎09-15-2023 02:49 AM

Hello @aleksandar.astardzhiev thanks. I am using Windows 2012R2 in a lab setup. I am using LDAP for group mapping yes.

I am also using server monitor, and yes in this screenshot it's timed out, it keeps doing that as well but separate issue I think!

admin@GeoffFirewall> show user user-attributes user netbios\user

admin@GeoffFirewall> show user user-attributes user fqdn.local\user

admin@GeoffFirewall> show user user-attributes user xsoar.local\user

admin@GeoffFirewall> show user user-attributes user geoffj@xsoar.local


Primary: xsoar.local\geoff.jones
Alt User Names:
1) geoffj@xsoar.local
2) xsoar.local\geoffj

admin@GeoffFirewall> show user user-attributes user xsoar.local\geoffj

admin@GeoffFirewall> show user user-attributes user xsoar.local\geoffj

admin@GeoffFirewall>

GWynn_0-1694771126032.png

 

0 Likes Likes

aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to GWynn

‎09-15-2023 08:35 AM

Hi @GWynn ,

What is the output from

> debug user-id dump domain-map

If you look closely you can see that ip-to-user mapping is mapping your username in the format of "xsoar\geoff.jones", but most probably your group-mapping is using the format "xsoar.local\geoff.jones" (with one additional .local)

 

You could confirm this also by comparing the output from ip-to-user mapping and group mapping

What is the output of the command:

> show user group name "cn=<target-user-group>,cn=users,dc=xsoar,dc=local"

 

Check also the links for domain-map

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFnCAK

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVDCA0

 

0 Likes Likes

GWynn
L3 Networker
In response to aleksandar.astardzhiev

‎09-17-2023 03:26 PM

Hello, I have done this and reset the mappings as per: but now what? It appears the Palo pulls in the FQDN then converts it to Netbios name, I am still not sure how to resolve this?

 debug user-id reset group-mapping all
  1. Restart User-ID by using the command
> debug software restart process user-id
  1. Confirm that the domain map now exits.
> debug user-id dump domain-map

0 Likes Likes

GWynn
L3 Networker
In response to GWynn

‎09-18-2023 03:11 AM

admin@GeoffFirewall> debug user-id dump domain-map

xsoar.local : xsoar
vsys1 dc=xsoar,dc=local

admin@GeoffFirewall>

 

______________________________________________________

 

admin@GeoffFirewall> show user group name "cn=full-access,cn=users,dc=xsoar,dc=local"

short name: xsoar.local\full-access

source type: ldap
source: xsoar.local-GroupMapping

[1 ] xsoar.local\geoff

admin@GeoffFirewall>

0 Likes Likes

aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to GWynn

‎09-18-2023 03:17 AM

Hi @GWynn 

Domain mapping look good now. However probably your group-mapping may need some adjustment.

Can you share your group mapping config?

 

0 Likes Likes

GWynn
L3 Networker
In response to aleksandar.astardzhiev

‎09-18-2023 03:28 AM

You mean this??

GWynn_0-1695032882386.png

 

0 Likes Likes

aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to GWynn

‎09-18-2023 03:30 AM

Hey @GWynn ,

That is needed as well, but in addition - have you define anything in the "Domain" field on the "Server profile" tab? It looks you did, but can you confirm?

0 Likes Likes

GWynn
L3 Networker
In response to aleksandar.astardzhiev

‎09-18-2023 03:31 AM

GWynn_0-1695033106931.png

 

0 Likes Likes

GWynn
L3 Networker
In response to aleksandar.astardzhiev

‎09-18-2023 03:32 AM

Thanks @aleksandar.astardzhiev  for your help BTW!

0 Likes Likes

aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to GWynn

‎09-18-2023 03:46 AM

Hey @GWynn ,

I think we are getting closer:

- Domain field in the group mapping is optional. If you add something there it will override the domain that collected by the firewall with the LDAP queries.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-users-to-groups#id44a39121-660...

(Optional) By default, the User Domain field is blank: the firewall automatically detects the domain names for Active Directory (AD) servers. If you enter a value, it overrides any domain names that the firewall retrieves from the LDAP source. For most configurations, if you need to enter a value, enter the NetBIOS domain name (for example, example not example.com).

- In addition on the "user and group attributes" you are using the default settings, which tells the user to collect sAMAccountName and userPrincipalName. This can be confirmed by looking at the user attributes that FW is assciating with user

 

dmin@GeoffFirewall> show user user-attributes user geoffj@xsoar.local


Primary: xsoar.local\geoff.jones
Alt User Names:
1) geoffj@xsoar.local
2) xsoar.local\geoffj

 

However since you are overriding the domain in the group-mapping that user does no longer matching.

 

 

Please try to remove the domain from the group mapping and force group-mapping refresh with

> debug user-id refresh group-mapping all
0 Likes Likes

GWynn
L3 Networker
In response to aleksandar.astardzhiev

‎09-18-2023 03:51 AM

OK, I have removed the domain but when I commit I now get this!

  • Error: Profile compiler : failed to get PAN sinkhole ip
  • (Module: device)
  • client device phase 1 failure
  • Commit failed

A quick Google has not helped!

0 Likes Likes

aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to GWynn

‎09-18-2023 04:03 AM

@GWynn ,

This has nothing to do with user-id and anything related to what we are trying to fix.

 

Sinkhole IP is used by  the DNS Security, which is part of the Anti-Spyware profile. I don't recall to have seen such error, but:

- Check what spyware profiles you have created. What are you using for sinkhole ip on the DNS security tab?

- Do you have license for Theat Prevent or DNS Sec? You mentioned this is lab.

- Try to remove any spyware profiles for now, just to be able to push the config for group mapping.

0 Likes Likes

GWynn
L3 Networker
In response to aleksandar.astardzhiev

‎09-18-2023 04:05 AM

Lol I know! I am not doing any of this, this really is a basic setup. I haven't created any such profiles. I have a 60 day license for everything but not long left. Thanks I'll take a look! !!!

0 Likes Likes
  • 3688 Views
  • 20 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks