05-28-2014 05:50 PM
Hi
We have just completed an upgrade from PANOS 5.0.3 to 6.0.2.
Everything seems OK with the exception of the GlobalProtect agents (and Shrew VPN) not being allowed onto the network. A successful connection is made by GlobalProtect but you can't connect to servers or see the network as everything gets dropped by a policy rule that drops everything coming from the Tunnel.
What we do is have several different rules that controls which users can see which servers. As an admin I get to see the entire network. The rules use the 'source user' to decide what you can see. All fairly standard stuff and it was working fine when we ran 5.0.3. However since the upgrade everything gets dropped by the drop rule.
To clarify the rules:-
1. Allow DNS traffic to the DNS servers.
2. Allow users A,B and C access to server one.
3. Allow users D,E and F access to server two.
4. Drop all traffic from the Tunnel.
When I monitor the traffic logs and filter to just look at stuff coming from the Tunnel zone I've noticed that there is nothing listed under the 'Source User' column (user accounts were listed under 5.0.3). The fact that the packets are dropped by the 'drop everything from the tunnel' rule this tells me that the source user isn't being seen by the policy (otherwise it would have been allowed by a previous rule). There is one rule (the first one) that allows DNS lookups and this rule works but the policy doesn't use Source User in its settings.
I've checked that UserID is enabled still on the Tunnel interface and the following command returns the correct data for 'domain' and 'user':-
show user ip-user-mapping ip 10.10.100.19
IP address: 10.10.100.19 (vsys1)
User: domain\user
From: GP
Idle Timeout: 10558s
Max. TTL: 10558s
Groups that the user belongs to (used in policy)
When I look at the System logs I can see the GlobalProtect agent connect and it shows the correct user account details.
I see UserID's correctly on the LAN interface so UserID is working.
Anyone got any thoughts as to why after the upgrade the Source User isn't being seen by the policy? As I said, it was working fine in 5.0.3 and short of doing the upgrade, nothing has changed (I'm going through the config audit to confirm).
Any help would be appreciated.
Alan
05-29-2014 01:51 PM
Hi All
I managed to fix this by creating a new zone and interface and reconfiguring the gateway to use the new interface etc. As soon as this was committed the Source User started showing up again. I then just changed the policy rules to use the new zone and service was resumed.
Thanks for reading.
Alan
05-29-2014 01:51 PM
Hi All
I managed to fix this by creating a new zone and interface and reconfiguring the gateway to use the new interface etc. As soon as this was committed the Source User started showing up again. I then just changed the policy rules to use the new zone and service was resumed.
Thanks for reading.
Alan
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
