- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-05-2014 09:03 AM
This is driving me crazy and looking for some input...
I have the User-ID Agent installed on my single domain controller which is running fine and connected to the PAN on version 5. Using an example below (my domain is different), I've duplicated the Group mapping setting, but expanding the Group Include List, I can see all the groups, just not Domain Users. Any ideas on what I need to change or check?
01-05-2014 12:27 PM
Hi
You didn't mention what version of PAN are you using, but maybe it will be usefull for You
From PAN 5.0.10 fixes log:
57816—Groups were not displayed in the Allow List dropdown selection of an
Authentication Profile. This was due to changes made for an issue addressed in PAN-
OS 5.0.7 (49237). This issue has been fixed so that groups are displayed in the Allow
List dropdown selection of an Authentication Profile for single-vsys devices.
Regards
SLawek
01-06-2014 05:04 PM
I upgraded my Pa-200 from 5.0.4 to 5.0.10 and have the current version of the user-id running on my DC. The upgrade went fine, rebooted, and still do not see user names populated under 'cn=users' in the 'Group Map Settings' expanding 'Group include list'
Any others ideas?
01-07-2014 04:42 AM
Creating a Security Rule and in Policies\Security under 'user', selecting 'any', 'pre-logon', 'known user', or 'unknown' it populates the same list (ie.. <domain>\<group name>). Manually typing in <domain>\guest it finds it. Using the same format and putting in the name of a user I created in AD in place of 'guest' it's not being found, basically it's only listing the groups names and not pulling created user names which i can see logged into into my domain controller.
01-07-2014 06:50 AM
The below command displays the list of groups that the PANFW learns from the AD.
> show user group list
You should see one such group in that list with "cn=user, ...."
To check if the PANFW is learning about users belonging to that group, you can use the below command
>show user group name <group name>
You can also refer to the below document:
01-07-2014 08:42 AM
Show user group list works fine, i can see the list of groups, but attempting to query the 'users' group I get the following:
<response status="success"><result>User group '<users>' does not exist or does not have members</result></response>
admin@PA-200> show user group name <guests>
I have following the link provided and everything matches up, anything else you can think of to force a sync or some other configuration item?
Thanks for all the help on this!
01-07-2014 10:32 AM
Hi Rob,
I am having difficulties following you.
May I know the "group" that you are particularly interested in?
Do you see that "group" under the "show user group list" output?
If so, when you search for users under that group, do you see any users in that group ?
Can you paste the output of the commands that I had requested.
Alternatively, if you type in the below command:
> show user user-IDs match-user <user>
<value> Show only the user(s) that match the string
do you see the user belonging to the "group" that you are expecting to see?
You can also verify if its not just a PANFW issue, by installing the softera browser ( or any other LDAP browser )on your PC, and check if you can retrieve the members of that group on your PC
BR,
Karthik
01-07-2014 11:25 AM
When i build firewall policy rules, say for 'URL Filtering', I should be able to not see all the groups pulled from AD, but also the userid's i want to add to that policy. Only group names are listed and not actual user names: Below is a screen shot of when i expand the 'Group Include List' in Group Mapping, i should be able to see the users I've created in AD under CN=Users ,CN=Domain Users, or whatever group they're a part of
I created a user called 'test' in AD, and issuing the below command, it's not found in any group
admin@PA-200> show user user-IDs match-user <test>
User Name Vsys Groups
------------------------------------------------------------------
Total: 6
Using another AD Browser and searching for the user 'test' it can be found, but it's not listed or shown in the PAN when expanding group-mapping
01-08-2014 06:20 AM
Coming from BlueCoat and relatively new to PAN, I found out you have to manually type the domain\userid to apply to an individual. This will be my solution for now and just create policies around groups and not individuals which is probably best and more easily managed.
Thank you all for your input and support!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!