AD Groups not working in Policies

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AD Groups not working in Policies

L3 Networker

Hello all, this sounds very similar to a previous post I found on here but I could not see a resolution. Very basic. I am trying to block or allow a domain user from the internet, from LAN zone to WAN zone. This will not work if I have domain\user in the Source User Field. I can see a user when I run:

admin@GeoffFirewall> show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------------------- ------- -------------------------------- -------------- -------------
172.60.1.1 vsys1 Unknown unknown 1 4
172.60.1.4 vsys1 Unknown unknown 3 6
172.60.1.3 vsys1 AD xsoar\geoff.jones 2334 2334
Total: 3 users

GWynn_0-1694757547028.png

If I change the source to ALL then it of course works, either blocking or allowed. Thoughts??

 

 

20 REPLIES 20

I can't delete these...I'll keep looking...

GWynn_0-1695035196607.png

 

Hello, I have had to reboot everything so let's check the state! Something didn't like something!

OK, I'm back in and deleted the Domain, committed fine and have run the below command

debug user-id refresh group-mapping all

 

Hey @GWynn ,

The refresh is only need to save you time and not waiting for the group-mapping update (defined in the Server profile in group mapping), Rebooting the firewall should have the exact same effect - triggering new LDAP query

 

Check the output from group mapping, user-ip  mapping and user atttributes:

 

> show user group name "cn=full-access,cn=users,dc=xsoar,dc=local"

> show user user-attributes user

> show user ip-user-mapping all

Output:

admin@GeoffFirewall> show user group name "cn=full-access,cn=users,dc=xsoar,dc=local"

short name: xsoar\full-access

source type: ldap
source: xsoar

[1 ] xsoar\geoff

admin@GeoffFirewall> show user user-attributes user geoffj

admin@GeoffFirewall> show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------------------- ------- -------------------------------- -------------- -------------
172.60.1.6 vsys1 Unknown unknown 2 5
Total: 1 users

admin@GeoffFirewall>

Hey @GWynn ,

- From second command it looks FW cannot associate this user name. I am shooting in the dark, but it looks like "geoffj" is a CN. but your Group-mapping. You don't have CN listed in the user attributes. You probably need to add CN as "alternative attribute"

- Can you try to run the user-attribute command with the username in format that is showin in the group mapping?

- From the user-ip-mapping it looks like your FW doesn't have user-ip mapping at the  moment. If you have rebooted the FW and your VM haven't generate new login event this could be it. Try to log-in and then log-out of your test VM to generate new user-ip mapping.

  • 4869 Views
  • 20 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!