- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-22-2013 07:13 AM
Hi,
I have a PA2050 v(4.0.11) and PAN-Agent for ldap users and groups. I have created a a group in my Active directotory and i configure a policy for this group but i try to check this policy with one user in this group and firewall dont let me passtrough.
I cant see that my user belongs to this new group but i can add this group in policies.
telindus@fw1orgt(active)> show user ip-user-mapping ip 10.1.12.70
IP address: 10.1.12.70
User: oartg\brepr
Ident. By: AD
Idle Timeout: 1956s
Max. TTL: 1956s
Groups that user belong to (used in policy)
Group(s): oargt\internet
oargt\satd
oargt\diba
My user brepr belongs to group oargt/accessfor in the AD but i cant see it in this output. I can apply the group oargt/accessfor in policies.
Thanks
07-24-2013 01:08 AM
Its solved
i put these commands and now its working
debug dataplane reset user-cache all
debug device-server reset pan-agent all
THANKS A LOT
07-22-2013 07:35 AM
if you have a security rule for accessfor
you should also see that
try to refresh the mappings
debug user-id refresh group-mapping
07-22-2013 08:38 AM
i dont have that command debug user-id in my PA version 4.0.11..... how can i refresh the cache for groups or something like that?+
My user brepr belongs to satd and the group satd belong to accessfor. is this important???? can i map a group within another one?
07-22-2013 01:24 PM
Hi,
I missed that you use 4.0.x
with 4.0.x your agent will do both group and user mapping
for nested groups I made test with 5.0.x and it was working but did not do with 4.0.x so I am not sure
on agent do you see all groups ?
07-22-2013 01:27 PM
for the command
try
debug device-server refresh user-group all
07-24-2013 12:45 AM
I cleared the cache groups and device-server and it didnt work
Its very weird because i can add this group accessfor in a policy but i cant see any users in this group.
I have created the policy again.
I have restarted the pan agent service
I have cleared all caches users/groups
What more can i try??
07-24-2013 12:54 AM
try to create another new group at the same place and make a user member of it.Than refresh groups again.After look if anything changes for that user for new group ?
07-24-2013 01:08 AM
Its solved
i put these commands and now its working
debug dataplane reset user-cache all
debug device-server reset pan-agent all
THANKS A LOT
07-24-2013 01:11 AM
i think the command whick solved was debug device-server reset pan-agent all
thanks a lot
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!