For my next feat . . . User Identification and Active Directory

Reply
bdunbar
L3 Networker

For my next feat . . . User Identification and Active Directory

  • PAN-200
  • Software version: 6.0.1
  • GlobalProtect Agent: 2.0.4

Me, again.  Linux/Unix guy, drafted to be the Windows / Network guy when that fellow left.

Our network reseller setup the device.  I'm trying to dope this stuff out a) because their time is valuable and we're minding our dollars and b) I really need to _know_ this stuff.

My next feat is to get some of the Windows 8 peecees in the office connected through the VPN to login to the domain controller in the (remote) data center.

VPN login using Local User Database works fine: turn on the Global Protect client, and we can remote login (RDP, ssh) any resource in the data center.  Great!

I've got a domain controller, and the beginnings of a nice little Active Directory setup: lookin' okay there, too.

Edit the DNS so the device is looking at my Domain Controller.

Go to Device - User Identification . User Mapping  - Edit User ID Agent Setup

Fill in a valid service user in the domain, with the right groups.

Go to Server Monitoring - hit Discover: nothing.

Click Add, give it the information - status is

I think 'that's funny' and shell into the host.

admin@<redacted host> ping host 209.59.31.137

PING 209.59.31.137 (209.59.31.137) 56(84) bytes of data.

From 10.220.0.127 icmp_seq=2 Destination Host Unreachable

And I don't even know where 10.220.0.127 came from.  I get that when I (try) to ping Google ...

admin@<redacted host> ping host 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

From 10.220.0.127 icmp_seq=1 Destination Host Unreachable

From 10.220.0.127 icmp_seq=2 Destination Host Unreachable

I _guess_ I've got a routing issue?  All I want to be able to do is login, man, and get this thing up and running with Active Directory.

I _feel_ like I don't even know where to begin.


Accepted Solutions
hshah
L6 Presenter

Hi Bdunbar,

You can route user-id traffic through dataplane. You need to configure service route. Refer following document.

Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI

Regards,

Hardik Shah

View solution in original post


All Replies
panos
L6 Presenter

could you share output after typing configure

# show deviceconfig system

bat
L5 Sessionator

Hi bdunbar

10.220.0.127 should be the IP that does not have that route to the destination 209.59.31.137 that is why it is replying with ICMP destination unreachable. This is either your default gateway in management interface settings (Device > Setup > Management ) or some device in between the path to the destination.

We will wait for you to attach the above output requested.

Thanks

bdunbar
L3 Networker

output ..

admin@tn-gateway-01# show deviceconfig system

system {

  ip-address 10.220.0.127;

  netmask 255.255.255.0;

  update-server updates.paloaltonetworks.com;

  update-schedule {

    threats {

      recurring {

        daily {

          at 01:30;

          action download-and-install;

        }

      }

    }

    wildfire {

      recurring {

        every-hour {

          at 20;

          action download-and-install;

        }

      }

    }

    global-protect-datafile {

      recurring {

        weekly {

          action download-and-install;

          at 03:00;

          day-of-week sunday;

        }

      }

    }

    anti-virus {

      recurring {

        daily {

          at 00:30;

          action download-and-install;

        }

      }

    }

  }

  timezone US/Central;

  service {

    disable-telnet yes;

    disable-http yes;

  }

  hostname tn-gateway-01;

  default-gateway 10.220.0.1;

  dns-setting {

    servers {

      primary 209.59.29.221;

    }

  }

  route {

    service {

      dns {

        source {

          address 209.59.31.140/29;

          interface vlan.10;

        }

      }

      email {

        source {

          address 209.59.31.140/29;

          interface vlan.10;

        }

      }

      ntp {

        source {

          address 209.59.31.140/29;

          interface vlan.10;

        }

      }

      paloalto-updates {

        source {

          address 209.59.31.140/29;

          interface vlan.10;

        }

      }

      url-updates {

        source {

          address 209.59.31.140/29;

          interface vlan.10;

        }

      }

      wildfire {

        source {

          address 209.59.31.140/29;

          interface vlan.10;

        }

      }

    }

  }

  ntp-server-1 209.118.204.201;

  domain corp.cicayda.com;

  login-banner "Who knocks on my castle door? ";

}

[edit]

admin@tn-gateway-01#

hshah
L6 Presenter

Hi Bdundbar,

IP address and default gateway looks good, in that case I think firewall is not learning ARP entry for default gateway.

destination host unreachable

Can you ping default gateway or does firewall learn ARP entry for default gateway.

Regards,

Hardik Shah

bdunbar
L3 Networker

"Can you ping default gateway"


Nope.


admin@tn-gateway-01> ping host 10.220.0.1

PING 10.220.0.1 (10.220.0.1) 56(84) bytes of data.

From 10.220.0.127 icmp_seq=3 Destination Host Unreachable

From 10.220.0.127 icmp_seq=4 Destination Host Unreachable

From 10.220.0.127 icmp_seq=5 Destination Host Unreachable

From 10.220.0.127 icmp_seq=6 Destination Host Unreachable

^C

--- 10.220.0.1 ping statistics ---

7 packets transmitted, 0 received, +4 errors, 100% packet loss, time 6023ms

, pipe 3

"or does firewall learn ARP entry for default gateway."

You lost me.  Sorry: I don't know where to find a value like that?  If it helps .. my arp table ..

admin@tn-gateway-01> show arp all

maximum of entries supported :      500

default timeout:                    1800 seconds

total ARP entries in table :        14

total ARP entries shown :           14

status: s - static, c - complete, e - expiring, i - incomplete

interface         ip address      hw address        port              status   ttl

--------------------------------------------------------------------------------

ethernet1/4       209.59.29.194   00:25:90:d1:e9:36 ethernet1/4         c      315

ethernet1/4       209.59.29.195   00:25:90:af:44:44 ethernet1/4         c      744

ethernet1/4       209.59.29.196   00:25:90:d1:ea:88 ethernet1/4         c      999

ethernet1/4       209.59.29.199   00:25:90:d1:e9:07 ethernet1/4         c      756

ethernet1/4       209.59.29.201   a0:36:9f:1d:fe:8c ethernet1/4         c      849

ethernet1/4       209.59.29.203   00:0c:29:f7:8b:ba ethernet1/4         c      547

ethernet1/4       209.59.29.210   a0:36:9f:21:96:f0 ethernet1/4         c      1722

ethernet1/4       209.59.29.221   00:0c:29:ab:17:b0 ethernet1/4         c      1788

ethernet1/4       209.59.29.222   00:0c:29:75:a7:f9 ethernet1/4         c      1423

ethernet1/4       209.59.29.224   00:0c:29:ff:4f:54 ethernet1/4         c      1799

ethernet1/4       209.59.29.254   54:e0:32:f3:2d:81 ethernet1/4         c      1659

vlan.10           209.59.31.137   00:00:0c:07:ac:0d ethernet1/1         c      1221

vlan.10           209.59.31.138   84:78:ac:55:d1:c1 ethernet1/1         c      1669

vlan.10           209.59.31.139   d8:67:d9:0f:05:41 ethernet1/2         c      1669

Which causes me to realize a thing, that may or may not be relevant.

I was having a time getting the hypervisors to talk on the vlan set aside for the 'private' 10.x.x.x network, so put my first round of hosts in the 209.59.29.193/26 network, hanging off ethernet 1/4.  After this deployment is done, I said, I'd go back and figure out what the problem is.

panos
L6 Presenter

used many service route configuration probably management interface has no access to internet and AD either.You may change Active Directory access interface.

Go to Device/Setup/Services/Service Route Configuration Choose destination as AD ip address and choose your LAN interface and IP.(which can access to AD)

hshah
L6 Presenter

Hi Bdunbar,

Command to view management interface arp is " show arp management". In this case I am very positive firewall is not learning ARP for default gateway. Hence everything is unreachable just from management interface.

Regards,

Hardik SHah

hshah
L6 Presenter

Hi Bdunbar,

You can route user-id traffic through dataplane. You need to configure service route. Refer following document.

Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI

Regards,

Hardik Shah

View solution in original post

bdunbar
L3 Networker

That did it, thank you very much.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!