Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-23-2018 01:53 AM
We have configured Global Protect VPN. We are trying to configure specific user/user groups under Global Protect Gateway in AGENT config on Panorama server. Unfortunately, we are not able to see any user ids/user groups under drop down list. But we can see list locally on firewall.
Need your help.
07-23-2018 06:21 AM
1. Yes, user IDs/Groups are visible on gateway but not on panaroma.
2. yes, userlist auto populate when you start typng on Panorama.
07-23-2018 06:27 AM
yes i think this is a little confusing.
the user list doust display on the local firewall but only if those users have been included or used.
try creating a new \agent\config on the firewall and see what happens when you try to add users. it only shows the groups, not members. Panorama acts in the same way.
07-23-2018 06:42 AM
Hello KPITNOC,
This is one thing that I've always found a little bit hoakey on Palo Alto when using Panorama to manage things. The user-id and group mapping process happens on the local firewall, but on Panorama, its not necessarily the same. If you're configuring a User-Group mapping on the local firewall, Panorama in the past would not see this. I always had to copy the groupname that shows up on the local firewall and push that setting through Panorama, or use the LDAP long name notation to push this from Panorama. It looks like this may have changed:
In the above article it says they fixed this, and the group mappings should be pulled from the master device. Do you have a master device setup for that device-group? If not, try setting the device that has the group mappings on it and then see if it populates.
Let me know what you find there.
Thanks
07-23-2018 06:44 AM - edited 07-23-2018 06:44 AM
I forgot to mention, you will probably need to commit the Panorama configuration after setting a master device before anything will populate.
07-23-2018 06:48 AM
Hi, Thanks for your mail.
We have configured Master device on Panorama. Also, we are able to configure/select user ids/groups while configuring security policies on same Panorama server.
We are not able to see users list/groups under Global Protect Gateway in AGENT tab. Same is visible locally on firewall.
07-25-2018 07:51 AM
Hi @KPITNOC
What version is your Panorama on? The User-ID process running on Panorama was only implemented in PAN-OS 8.0 and above.
Thanks,
Luke.
07-25-2018 08:17 AM - edited 07-25-2018 08:17 AM
Hi,
Thanks for your reply.
It is currently expected design of Panorama to not show user-group/user ids information in Templates even when we have configured Master device under device group.
We are raising Feature Request with Palo Alto team for the same. We will share number asap. Please give your vote for it.
Thanks again!
02-13-2020 09:33 AM
Is it fixed because I think we have the same issue (Panorama - PAN-OS 9.0.4) ?!
Thanks,
Dominic.
06-05-2020 03:39 AM
We're facing this issue as well.
Feature requests take for everrrrrrrr
I'm now going to test if using the long string is a work-around...
Anybody else found a work-around for this other than making a local override on the FW?
kr,
Kim
10-19-2021 06:46 PM
Does this issue got fixed, I am having similar problem not be able to see the source user/group list in the GlobalProtect Agent configuration?
Thank you
01-04-2023 06:51 PM
Nearly 4 years later and this issue still isn't fixed... at least not in 9.1.
01-04-2023 07:08 PM
Droppdown will not populate users/groups indeed but you can enter them manually and they will take effect.
01-05-2023 01:55 PM
What format does this take? Is it the fully qualified distinguished name (like adding it to group mappings) or just the domain\name (like adding it to security policies)?
Maybe include this in future Globalprotect documentation given they don't seem to be fixing this anytime soon in Panorama...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
