- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
05-15-2012 02:19 PM
We recently installed the new PAN agent 4.1.4.3.
Since we installed this we don't seem to be able to get at our LDAP group against which we have many security rules.
i have been told that an option exist with userid agent option in the Device tab to define the groups. Having done this the groups are still ignored during rule processing.
To compound matters, the Help within Panagent software is quite poor to say the least. Are there any documents that spell out how-to set this up. Security groups used to work under the old PA AGENT.
I would be grateful if someone can point in the right direction please.
Thanks
Nalin.
05-16-2012 08:00 AM
Yes, in PAN-OS 4.1 the group membership is done by the PA firewall and the agent is dedicated to obtaining userID-to-IP mapping. It appears that you have configured the 'Group Mapping Settings' under the Device tab. To verify your setting, in the CLI you can issue command to see if your groups are being retrieved:
admin@pa-fw> show user group list
Check to see if the domain\grp_name matches those in your policies.
Thanks.
05-16-2012 08:05 AM
Yes that's a big drawback of new UserAgent : group mapping configuration was centralized on agent itself. Now you have to reconfigure it on each Firewall and there is no way to to global updates about this from Panorama.
Believe me it's painful when you have 20+ installations around the world.
05-17-2012 01:50 PM
I have installed the ver. 3 client on the same box as my ver. 4 client (different ports for each client). I get the best of both worlds that way.
Bob
05-17-2012 02:14 PM
Thanks to all those who responded. Khipu our support partners logged in and ran a couple of CLI commands. They also restarted the user-id process within the PA box. this seem to cure the problem. i could then see the rules being properly applied and users being correctly associated with their groups.
Personally I don't think this part of the PA box is well implemented.
I will try to update thispost with the CLI commands that were used to validate the user -> group --> ip address association.
Thanks to all again.
Nalin.
05-23-2012 08:39 AM
Kalin
Have you managed to find out what commands were used as I'm having the same problem. I have configured AD groups but they are being ignored during rule-processing.
Thanks
David
05-24-2012 01:23 AM
Hi David,
Here are my notes on the matter hopefully they will guide you to a solution.
1. some bits have to be in place now to get the user-id working.
2. User-id agent doesn't do groups. They are done within the user id agent option within the Device tab of PA gui.
3. There are a couple of tech documents on how to set this up. Don't look in help within user id agent. its' useless.
4. The CLI commands to use to debug issues are as follows. "show user ip-user-mapping ip 99.99.99.99"
The other "debug user-id refresh group-mapping all"
"debug software restart user-d" ---> this restarts a service with the PA box. This fixed us seeing duplicated groups in drop dwon boxes.
Please note I am a mere mortal in when it comes to PA matters. So please use care when using these commands. Look up the command syntax, context and description and then run them so that you are aware of what you are doing. Hopefully this will help you.
Regards
Nalin.
05-25-2012 03:02 AM
Hi Nalin
Thanks for your notes. I will give them a try.
Regards
David Wallis
05-25-2012 04:39 AM
A warning for all.. you cant retrieve the membership of the "domain users" group in active directory (usually peoples "primary group") from the Palo Alto firewalls direct group enumeration.
In active directory the "primary group" for each user (usually the "domain users" group) is not part of the list of groups the user is a "memberof". Instead, the primary group token (just an ID) is stored in each user's record..
So stick to your own created groups.. or utilise the "any authenticated user" option.. "domain users" is a no-go group...
(well at least as far as a simple query goes..)
09-17-2012 03:04 AM
Thanks a lot.
I have been struggeling a lot with this problem with not getting "domain-users" group to work. Will there be any other way to do this ?
I see the option "known-user" but I do not find your proposed "any authenticated user" option. Can you please specify ?
I do not understand why "domain users" are not working. Is it another way of fixing this ??
Thank you for the warning
Regards
Stig Bakke
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!