CLI command for LDAP status in 4.1.4

No. I am trying to setup ldap connection at all. My target is to apply

user based security rules.

Von meinem iPhone gesendet

Am 23.03.2012 um 17:27 schrieb msoldner <live@paloaltonetworks.com>:

Are you trying to see what is happening when they are trying to

authenticate? If so, would "less mp-log authd.log" help?

The uiAgent is working well.

But for user based security rules the uiAgent is not used as far as I

understood.

I see two groups in the user field in the security rules but they are

not from the Users container of the AD. These two groups are directly

under the domain level and don't reflect my domain security groups or

even better the individual users.

Will query the commands on Monday and let you know.

Von meinem iPhone gesendet

Am 23.03.2012 um 20:16 schrieb jseals <live@paloaltonetworks.com>:

Hello,

Keep in mind that with 4.1.x, the firewall directly connects to the

LDAP server and queries for AD groups. The user-id agent performs the

user-to-ip mappings.

If you aren't seeing users, it may be an issue with the agent

connectivity or settings.

To show what users are found in the groups:

show user group name <group name> (You can tab to list all of the available group names)

To show what users are being mapped to IPs properly:

show user ip-user-mapping all

To show the state of your user agent (since that's what is in charge

of user-to-ip mapping)

show user user-id-agent state all

Please let us know if this helps.

Thanks,

Jason Seals

I see.

Have you included the groups in the group include list?

In the WebUI -> Device tab -> User Identification -> Group mapping Setting tab -> Click your defined server (define one if not already defined) -> Group Include List tab -> and ensure you've added all the groups you want to use in your policies here.

If this doesn't help and you've recently updated to 4.1.x from 4.0.x or below, it may be the case you have some older groups on the firewall that are no longer compatible. The output of those commands should let us know.

Thanks,

Jason Seals

That' s probably the issue. I have not assigned any groups...

The box is pretty new in our environment and was already shipped with OS 4.

Thanks a lot for your suggestions. I will report Monday!

Thanks

Christof

Von meinem iPhone gesendet

Am 23.03.2012 um 21:31 schrieb jseals <live@paloaltonetworks.com>:

I see.

Have you included the groups in the group include list?

In the WebUI -> Device tab -> User Identification -> Group mapping

Setting tab -> Click your defined server (define one if not already

defined) -> Group Include List tab -> and ensure you've added all the

groups you want to use in your policies here.

If this doesn't help and you've recently updated to 4.1.x from 4.0.x

or below, it may be the case you have some older groups on the

firewall that are no longer compatible. The output of those commands

should let us know.

Thanks,

Jason Seals

Hi again,

I ran the query in terminal and received only these groups back that I see

in *WebUI -> Device tab -> User Identification -> Group mapping Setting tab

-> Click your defined server (define one if not already defined) -> Group

Include List tab. *

Curiously I cannot select any group in CN=Users. It appears as empty (Which

it surely not is).

I only can select groups that are directly under the Domain names level

(see attachment) and not in any of the containers.

The Domain is a 2003 level domain. Is the PANOS only compatible with newer

domain levels?

Thanks Christof

Hello,

I also have a Windows 2003 Domain Controller in my lab environment, and I can select groups to be added in CN=Users. I can open up any containers I have under the domain and add groups.

Are you positive that the bind dn you're using for your LDAP Server Profile has the ability to query in all of your containers?

Are you able to change the bind dn to a domain admin or something similar just for testing, so we can ensure he can open the containers?

Thanks,

Jason Seals

I use Administrator Account für Domain bind.

Thanks for your input.

Christof

Von meinem iPhone gesendet

Am 26.03.2012 um 19:24 schrieb jseals <live@paloaltonetworks.com>:

Hello,

I also have a Windows 2003 Domain Controller in my lab environment,

and I can select groups to be added in CN=Users. I can open up any

containers I have under the domain and add groups.

Are you positive that the bind dn you're using for your LDAP Server

Profile has the ability to query in all of your containers?

Are you able to change the bind dn to a domain admin or something

similar just for testing, so we can ensure he can open the containers?

Thanks,

Jason Seals

Hi,

any other ideas?

As I said, the domain Administrator account is used for Bind DN.

The domain itself was a SBS 2003 domain 3 years back and has been upgraded to standard domain at that time.

I still see an OU=MyBusiness and some Exchange relics. Can this be an issue?

The groups that I can select (see my previous posts) most likely are groups from the old SBS schema, as I do not see such kind of groups on our second site ( Windows 2008R2 Standard Domain).

Thanks a lot!

Christof

Hi Cristof,

It may be best to continue troubleshooting in a support case at this point for more direct support.

Please open up a support case and we can work to a faster resolution.

Thanks,

Jason

Jseals how large is your AD structure?  Im suspecting its relatively small? correct?

I've been troubleshooting an issue with support regarding 4.1.3-4 direct group enumeration.. whereby the Palo Alto is only able to retrieve a small portion of our AD structure/ objects. Having similar experiences where from the Palo Alto am not able to browse the full structure and group enumeration for example shows only 26 users in "domain users" group when there is in fact over 27,000 ..

When I change back to using LDAP proxy and a 3.1x userID agent the group enumeration works correctly.

At first I suspected an issue with LDAP paging.. but packet captures indicated paging is working .. but seem to point towards some strange delays/timeouts towards the end of the session..

May be related to this discussion.. difficult to tell at this time.

For the user having problems..  If everything looks to be configured correctly and your domain structure/ permissions are good.. then try doing some packet captures from the Palo Alto monitoring tab.. filtering on LDAP communications with domain controller. Would recommend temporarily changing to unencrypted TCP 389 for the LDAP bind so you can view the full LDAP protocol interactions.

Our LDAP is very small, too. We have approx. 40 users in the domain

that is having this issue.

I can sometimes see the groups in security policy set up page although

I did not select (and even see them) in the group mappings page.

Applying these groups to the policies does not have any effect.

The user agent is showing connected, but I have only a couple of users

known to the device although I know that there are more online in that

moment.

At our second facility (2008 domain) everything is working fine. The

user ID agent and the group mappings are working and I can build

security rules for them.

Thanks

Christof

Von meinem iPhone gesendet

Am 01.04.2012 um 13:08 schrieb ucteam <live@paloaltonetworks.com>:

Jseals how large is your AD structure? Im suspecting its relatively

small? correct?

I've been troubleshooting an issue with support regarding 4.1.3-4

direct group enumeration.. whereby the Palo Alto is only able to

retrieve a small portion of our AD structure/ objects. Having similar

experiences where from the Palo Alto am not able to browse the full

structure and group enumeration for example shows only 26 users in

"domain users" group when there is in fact over 27,000 ..

When I change back to using LDAP proxy and a 3.1x userID agent the

group enumeration works correctly.

At first I suspected an issue with LDAP paging.. but packet captures

indicated paging is working .. but seem to point towards some strange

delays/timeouts towards the end of the session..

May be related to this discussion.. difficult to tell at this time.

For the user having problems.. If everything looks to be configured

correctly and your domain structure/ permissions are good.. then try

doing some packet captures from the Palo Alto monitoring tab..

filtering on LDAP communications with domain controller. Would

recommend temporarily changing to unencrypted TCP 389 for the LDAP

bind so you can view the full LDAP protocol interactions.

Any fundamental differences between the 2 deployments? ie. the one that is working and the one that isnt?