New Pan Agent.

Reply
L2 Linker

New Pan Agent.

We recently installed the new  PAN agent  4.1.4.3.

Since we installed this we don't seem to be able to get at our LDAP group against which we have many security rules.

i have been told that an option exist with userid agent option in the Device tab to define the groups. Having done this the groups are still ignored during rule processing.

To compound matters, the Help within Panagent software is quite poor to say the least. Are there any documents that spell out how-to set this up. Security groups used to work under the old PA AGENT.

I would be grateful if someone can point in the right direction please.

Thanks

Nalin.

L6 Presenter

Yes, in PAN-OS 4.1 the group membership is done by the PA firewall and the agent is dedicated to obtaining  userID-to-IP mapping.  It appears that you have configured the 'Group Mapping Settings' under the Device tab. To verify your setting, in the CLI you can issue command to see if your groups are being retrieved:

admin@pa-fw> show user group list

Check to see if the domain\grp_name matches those in your policies.

Thanks.

L4 Transporter

Yes that's a big drawback of new UserAgent : group mapping configuration was centralized on agent itself. Now you have to reconfigure it on each Firewall and there is no way to to global updates about this from Panorama.

Believe me it's painful when you have 20+ installations around the world.

L4 Transporter

I have installed the ver. 3 client on the same box as my ver. 4 client (different ports for each client).  I get the best of both worlds that way.

Bob

L2 Linker

Thanks to all those who responded. Khipu our support partners logged in and ran a couple of CLI commands. They also restarted the user-id process within the PA box. this seem to cure the problem. i could then see the rules being properly applied and users being correctly associated with their groups.

Personally I don't think this part of the PA box is well implemented.

I will try to update thispost with the CLI commands that were used to validate the user -> group --> ip address association.

Thanks to all again.

Nalin.

Not applicable

Kalin

Have you managed to find out what commands were used as I'm having the same problem. I have configured AD groups but they are being ignored during rule-processing.

Thanks


David

L2 Linker

Hi David,

Here are my notes on the matter hopefully they will guide you to a solution.

1. some bits have to be in place now to get the user-id working.

2. User-id agent doesn't do groups. They are done within the user id agent option within the Device tab of PA gui.

3. There are a couple of tech documents on how to set this up. Don't look in help within user id agent. its' useless.

4. The CLI commands to use to debug issues are as follows.  "show user ip-user-mapping ip 99.99.99.99"

The other "debug user-id refresh group-mapping all"

"debug software restart user-d" ---> this restarts a service with the PA box. This fixed us seeing duplicated groups in drop dwon boxes.

Please note I am a mere mortal in when it comes to PA matters.  So please use care when using these commands. Look up the command syntax, context and description and then run them so that you are aware of what you are doing. Hopefully this will help you.

Regards

Nalin.

Not applicable

Hi Nalin

Thanks for your notes. I will give them a try.

Regards

David Wallis

Not applicable

A warning for all.. you cant retrieve the membership of the "domain users" group in active directory (usually peoples "primary group") from the Palo Alto firewalls direct group enumeration.

In active directory the "primary group" for each user (usually the "domain users" group) is not part of the list of groups the user is a "memberof". Instead, the primary group token (just an ID) is stored in each user's record..

So stick to your own created groups.. or utilise the "any authenticated user" option.. "domain users" is a no-go group...

(well at least as far as a simple query goes..)

L1 Bithead

Thanks a lot.

I have been struggeling a lot with this problem with not getting "domain-users" group to work. Will there be any other way to do this ?

I see the option "known-user" but I do not find your proposed "any authenticated user" option. Can you please specify ?

I do not understand why "domain users" are not working. Is it another way of fixing this ??

Thank you for the warning  :smileyhappy:

Regards

Stig Bakke

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!