This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Not able to configure user/user groups under Global Protect Gateway under Panorama, same is possible

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Not able to configure user/user groups under Global Protect Gateway under Panorama, same is possible

KPITNOC
L1 Bithead

‎07-23-2018 01:53 AM

We have configured Global Protect VPN. We are trying to configure specific user/user groups under Global Protect Gateway in AGENT config on Panorama server. Unfortunately, we are not able to see any user ids/user groups under drop down list. But we can see list locally on firewall.

Need your help.

16 REPLIES 16

Raido_Rattameister
Cyber Elite
Cyber Elite

‎01-05-2023 02:26 PM - edited ‎01-05-2023 02:28 PM

Check under "Monitor > GlobalProtect" in what format gateway sees username.

You can use all 3 for testing:

domain\first.last

first.last

first.last@example.com

 

For group you can also test full LDAP path that you can get from domain controller command prompt with command like:

dsquery group -name "VPN Users"

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

MichealSwart
L0 Member
In response to Raido_Rattameister

‎05-03-2023 04:28 AM

Same issue and here is the response from Tech Support. We went over the configuration, and everything appears to be in order. We talked about how Panorama doesn't automatically populate user-group information for any references in the Template. 

As I explained, that it worked in security policy doesn't mean it should automatically work in Global Protect as, according to the backend engineers, the device group and the templates are two different functional variables (from the backend coding).

As a result, we're unable to auto-populate user group mapping from CIE in Panorama GUI for Portal Agent config selection criteria under Global Protect portal settings, or for gateway client-settings under Global Protect Gateway settings. 

This is expected behavior, and we'll need to manually input the user group when the configuration is pushed from Panorama. We also noted that there's a feature request for this capability, identified by ID 8467 (FR-8467).

Please don't hesitate to contact your account team to vote for the feature request on your behalf.
Nott going to be fixed soon. Will need to add manually until FR is accepted.

  • 10443 Views
  • 16 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks