09-14-2023 11:00 PM
Hello all, this sounds very similar to a previous post I found on here but I could not see a resolution. Very basic. I am trying to block or allow a domain user from the internet, from LAN zone to WAN zone. This will not work if I have domain\user in the Source User Field. I can see a user when I run:
admin@GeoffFirewall> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------------------- ------- -------------------------------- -------------- -------------
172.60.1.1 vsys1 Unknown unknown 1 4
172.60.1.4 vsys1 Unknown unknown 3 6
172.60.1.3 vsys1 AD xsoar\geoff.jones 2334 2334
Total: 3 users
If I change the source to ALL then it of course works, either blocking or allowed. Thoughts??
09-18-2023 04:06 AM
I can't delete these...I'll keep looking...
09-18-2023 04:26 AM
Hello, I have had to reboot everything so let's check the state! Something didn't like something!
09-18-2023 04:32 AM
OK, I'm back in and deleted the Domain, committed fine and have run the below command
debug user-id refresh group-mapping all
09-18-2023 04:40 AM
Hey @GWynn ,
The refresh is only need to save you time and not waiting for the group-mapping update (defined in the Server profile in group mapping), Rebooting the firewall should have the exact same effect - triggering new LDAP query
Check the output from group mapping, user-ip mapping and user atttributes:
> show user group name "cn=full-access,cn=users,dc=xsoar,dc=local"
> show user user-attributes user
> show user ip-user-mapping all
09-18-2023 05:03 AM
Output:
admin@GeoffFirewall> show user group name "cn=full-access,cn=users,dc=xsoar,dc=local"
short name: xsoar\full-access
source type: ldap
source: xsoar
[1 ] xsoar\geoff
admin@GeoffFirewall> show user user-attributes user geoffj
admin@GeoffFirewall> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------------------- ------- -------------------------------- -------------- -------------
172.60.1.6 vsys1 Unknown unknown 2 5
Total: 1 users
admin@GeoffFirewall>
09-18-2023 06:15 AM
Hey @GWynn ,
- From second command it looks FW cannot associate this user name. I am shooting in the dark, but it looks like "geoffj" is a CN. but your Group-mapping. You don't have CN listed in the user attributes. You probably need to add CN as "alternative attribute"
- Can you try to run the user-attribute command with the username in format that is showin in the group mapping?
- From the user-ip-mapping it looks like your FW doesn't have user-ip mapping at the moment. If you have rebooted the FW and your VM haven't generate new login event this could be it. Try to log-in and then log-out of your test VM to generate new user-ip mapping.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
