Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Not able to configure user/user groups under Global Protect Gateway under Panorama, same is possible

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Not able to configure user/user groups under Global Protect Gateway under Panorama, same is possible

L1 Bithead

We have configured Global Protect VPN. We are trying to configure specific user/user groups under Global Protect Gateway in AGENT config on Panorama server. Unfortunately, we are not able to see any user ids/user groups under drop down list. But we can see list locally on firewall.

Need your help.

16 REPLIES 16

L7 Applicator

is the user list visible on the actual firewall itself..

 

does the userlist auto populate when you start typng on Panorama

1. Yes, user IDs/Groups are visible on gateway but not on panaroma.

 

2. yes, userlist auto populate when you start typng on Panorama.

yes i think this is a little confusing.

 

the user list doust display on the local firewall but only if those users have been included or used.

 

try creating a new \agent\config on the firewall and see what happens when you try to add users. it only shows the groups, not members. Panorama acts in the same way.

L2 Linker

Hello KPITNOC,

 

This is one thing that I've always found a little bit hoakey on Palo Alto when using Panorama to manage things.  The user-id and group mapping process happens on the local firewall, but on Panorama, its not necessarily the same.  If you're configuring a User-Group mapping on the local firewall, Panorama in the past would not see this.  I always had to copy the groupname that shows up on the local firewall and push that setting through Panorama, or use the LDAP long name notation to push this from Panorama.  It looks like this may have changed:

 

https://live.paloaltonetworks.com/t5/Management-Articles/Active-Directory-Groups-in-Panorama-Rules/t...

 

In the above article it says they fixed this, and the group mappings should be pulled from the master device.  Do you have a master device setup for that device-group?  If not, try setting the device that has the group mappings on it and then see if it populates.  

 

Let me know what you find there.

 

 

Thanks

I forgot to mention, you will probably need to commit the Panorama configuration after setting a master device before anything will populate.

Hi, Thanks for your mail.

 

We have configured Master device on Panorama. Also, we are able to configure/select user ids/groups while configuring security policies on same Panorama server.

 

We are not able to see  users list/groups under Global Protect Gateway in AGENT tab. Same is visible locally on firewall.

Hi @KPITNOC

 

What version is your Panorama on? The User-ID process running on Panorama was only implemented in PAN-OS 8.0 and above.

 

Thanks,

Luke.

Hi,

 

Thanks for your reply.

 

It is currently expected design of Panorama to not show user-group/user ids information in Templates even when we have configured Master device under device group.

 

We are raising Feature Request with Palo Alto team for the same. We will share number asap. Please give your vote for it.

 

Thanks again!

Is it fixed because I think we have the same issue (Panorama - PAN-OS 9.0.4) ?!

 

Thanks,

Dominic. 

L1 Bithead

We're facing this issue as well. 

 

Feature requests take for everrrrrrrr

 

I'm now going to test if using the long string is a work-around...

 

Anybody else found a work-around for this other than making a local override on the FW?

 

kr,

 

Kim

Arguing that you don't care about the right to privacy because you have nothing to hide is no different from saying you don't care about free speech because you have nothing to say.
-- Edward Snowden

Does this issue got fixed, I am having similar problem not be able to see the source user/group list in the GlobalProtect Agent configuration?

Thank you

Nearly 4 years later and this issue still isn't fixed...  at least not in 9.1.

Cyber Elite
Cyber Elite

Droppdown will not populate users/groups indeed but you can enter them manually and they will take effect.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

What format does this take?  Is it the fully qualified distinguished name (like adding it to group mappings) or just the domain\name (like adding it to security policies)?

 

Maybe include this in future Globalprotect documentation given they don't seem to be fixing this anytime soon in Panorama...

 

 

  • 12205 Views
  • 16 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!