error user in group mapping

Showing results for 
Show  only  | Search instead for 
Did you mean: 

error user in group mapping

L4 Transporter



After upgrading to 8.1.X > 9.0.X > 9.1.x. we found that some ldap users do not check per user policies, only for ip politicies.  

The firewall has no user-id configured, only tree server ldap.
we check that the firewall recognizes the Ldap tree. 
Is there any issue of incompatibility with the version?

Cyber Elite
Cyber Elite

@BigPalo ,

Can you describe your issue a bit more. I'm not sure exactly what you mean by "some ldap users do not check per user policies, only for ip politicies". Are you trying to get these users to match user based rulebase entries? 


I explain the problem in more detail. After performing a firmware update from 8.1.X to 9.1.X we found the following problem.

From a PC we authenticate by ldap with the user "cafeteria", we observe in the monitor that the traffic machea by IP and not by user, which causes that it does not do mach due to the policies configured by user and this traffic is dropped

From the same PC, we try with another user "egonzalez" authenticates correctly and we verify in the monitor that it registers by user.

They do not have user-id agent configured. LDAP only with all group mapping.


Is there a bug with the version?



Hi @BigPalo,


What do you mean by "From a PC we authenticate by ldap with the user"?


Group mapping provide information for user group membership (which users are part of specific user group). This inforamtion is used if you want to use user groups (not individual users) in configuration.


Firewall still needs information for the actual user-to-ip mapping? What method are you using for to gather this information? If you don't use user-id agent, are you using Captive portal with Authentication policy?


Might want to search the release notes, however I have not seen this before. How are your user-id's getting processed, i.e. pointing at Domain Controllers, exchange, etc.? When the firewalls reboot, the user-id mappings get flushed if using agentless. So if the user-id doesnt see a new login, it will not show the mapping. I have seen a lot and hence I use Exchange logs rather than domain controllers since Outlook is constantly authenticating against the exchange servers.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!