Palo Alto Mapping problem adding new groups

Reply
Highlighted

Palo Alto Mapping problem adding new groups

Hi,

 

we have a PA3050 and we are expecting a problem related to Group mapping. We have added two new groups in LDAP Group mapping profile. We can add these 2 groups using WebUIS "Included groups", we launch a refresh userid group-mapping but when we run "show user group-mapping state all", we can see all goups but not the new ones added.

 

Why Pa is not detecting the new groups added. We see this error in system logs "PA fetch group LDAP" but PA can connect to LDAP properly.

 

Its version 7.0.11, any bug related to this?


Accepted Solutions
Highlighted
L4 Transporter

Hi,

 

Not necessarily a bug; could be something in the configuration or whatnot.

 

Do one thing, take a pcap on the MGMT interface (unless some other interface is being used for LDAP).

1) Open a CLI session to the firewall 

admin@anuragFW> tcpdump

 

2) Open another CLI session to the firewall

admin@anuragFW> debug user-id refresh group-mapping all

 

3) verify that the last action time shows a fresh time count:

admin@anuragFW> show user group-mapping state ourgroups


Group Mapping((null), type: active-directory): ourgroups
Bind DN : anurag@xxxx.xxx
Base : DC=xxxxx,DC=xxx
Group Filter: (None)
User Filter: (None)
Servers : configured 1 servers
10.21.56.14(389)
Last Action Time: 1 secs ago(took 0 secs)
Next Action Time: In 3599 secs

 

4) Stop the tcpdump by pressing Ctrl+C

 

5) Transfer the pcap for easy viewing:

admin@anuragFW> tftp export mgmt-pcap from mgmt.pcap to x.x.x.x

 

Now, filter for the LDAP server and check what we are receiving from the LDAP server that's causing the error in the system logs.

 

Regards,

Anurag

 

 

================================================================
ACE 7.0, 8.0, PCNSE 7

View solution in original post


All Replies
Highlighted
L4 Transporter

Hi,

 

Not necessarily a bug; could be something in the configuration or whatnot.

 

Do one thing, take a pcap on the MGMT interface (unless some other interface is being used for LDAP).

1) Open a CLI session to the firewall 

admin@anuragFW> tcpdump

 

2) Open another CLI session to the firewall

admin@anuragFW> debug user-id refresh group-mapping all

 

3) verify that the last action time shows a fresh time count:

admin@anuragFW> show user group-mapping state ourgroups


Group Mapping((null), type: active-directory): ourgroups
Bind DN : anurag@xxxx.xxx
Base : DC=xxxxx,DC=xxx
Group Filter: (None)
User Filter: (None)
Servers : configured 1 servers
10.21.56.14(389)
Last Action Time: 1 secs ago(took 0 secs)
Next Action Time: In 3599 secs

 

4) Stop the tcpdump by pressing Ctrl+C

 

5) Transfer the pcap for easy viewing:

admin@anuragFW> tftp export mgmt-pcap from mgmt.pcap to x.x.x.x

 

Now, filter for the LDAP server and check what we are receiving from the LDAP server that's causing the error in the system logs.

 

Regards,

Anurag

 

 

================================================================
ACE 7.0, 8.0, PCNSE 7

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!