cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PAN AGENT WITH MULTI-FOREST

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PAN AGENT WITH MULTI-FOREST

alle
L3 Networker

‎05-02-2012 03:20 AM

Hello,

I have Two FOREST A and B, I have a trust relation between this two forest.

When I add a user of the forest A in the group (local) of the forest B I can't see in the pan agent the users.

Any Idea to see the user of the forest A in the group of the forest B?

regards,

Labels:
0 Likes Likes
12 REPLIES 12

ST1985
L1 Bithead

‎05-02-2012 12:40 PM

Update to my post below:

Since I only had 3 users from a remote forest to worry about I was successful by adding their remotedomain\username logon IDs to the SourceUser list in one of our policies. It seems that although the agent won't expand the groups, the FireWall is quite happy when you explicitly list user's names in the policy.

----------------------------

I was trying to make this work just this morning also - same result. Users from another domain are not seen although their names do appear on the Monitor page next to their blocked packets.

I think the answer to y/our question is posted here:

https://live.paloaltonetworks.com/message/1819#1819

I guess we'll have to create a separate policy and filter based on PC names rather than user names. It won't be pretty though.

PaloAlto - why is it hard to expand Domain Local group membership?

0 Likes Likes

alle
L3 Networker
In response to ST1985

‎05-03-2012 05:03 AM

Hi Skytrain,

I have seen that is not possible to use multiforest with the PAN-AGENT 3.1.2. So I do an update of PANOS in 4.1.6

and an update pan-agent (user-id-agent) 4.1.4.

Moreover you must use the FIREWALL for enumeration and not the user-id-agent because you must use the global catalogue to see the

forest.

I v seen to that the group must be an Universal Group.

I do an another test but without success for the moment!

regards,

0 Likes Likes

mikand
L6 Presenter
In response to alle

‎05-03-2012 11:10 AM

I think you can select ldap-proxy when you setup your userid connection to make the firewall query the ldap through your userid agent (as before) instead of having to do ldap on its own (regarding flows in your network).

0 Likes Likes

alle
L3 Networker
In response to mikand

‎05-03-2012 11:20 AM

Hello mikand,

it's true that you can use the option ldap-proxy. but if you want browse the global catalogue (port 3268) and not LDAP

(port 389) you must use the firewall ldap server configuration. the global is usefull when you have severals domains.

And when I do a test with two different forest with trusted domain the enumeration doesn't work( I see just the main domain). Maybe it's only possible with severals domain in the same forest?

0 Likes Likes

essnet
L4 Transporter
In response to alle

‎05-08-2012 10:00 AM

unfortunalty , using global catalog will append wonrg domains in front of users.

Imagine ou have 1 forest with 2 domains : America, Europe. You configure PaloAlto LDAP with base domain mycompany.group and domain mycompany.

Users will be listed as:

  • mycompany\joe
  • mycompany\roger

while real users are:

  • america\joe
  • europe\roger

This is also breaking user / group mapping for me.

So for the moment I am using 1 LDAP setting per domain + 1 Group mapping per Domain. This is annoying but I hope PA will improve that anytime soon.

0 Likes Likes

alle
L3 Networker
In response to essnet

‎05-10-2012 03:20 AM

Hi essnet,

it is possible to use mutlidomain in the same forest with the global catalogue. you must just modify the xml configurationof your user-id agent. You can modify in the xml file the name of domain to send at the firewall so even if you do a ip-mapping in the America domain you can send to the firewall my company.

USER AGENT    ip-mapping                           ->    FIREWALL  IP-MAPPING

AMERICA/JOHN 192.168.1.2                                   MYCOMPANY/JOHN 192.168.1.2

regards,

0 Likes Likes

essnet
L4 Transporter
In response to alle

‎05-10-2012 03:59 AM

Ok, but what about Europe domain users ?

I think you don't get it , I want to keep local domains, but PA uses global name. In addition it breaks AD groups feature.

0 Likes Likes

alle
L3 Networker
In response to essnet

‎05-10-2012 07:07 AM

essnet,

you can do the same thing on EUROPE with the modification of xml file

USER AGENT    ip-mapping                                               ->    FIREWALL  IP-MAPPING

EUROPE/NICO 192.168.1.2                                                              MYCOMPANY/NICO 192.168.1.2

And for  your group you must use Universal GROUP!

but it's true that you can just use the domain of your enumeration ( MYCOMPANY)

Alex

0 Likes Likes

essnet
L4 Transporter
In response to alle

‎05-10-2012 07:09 AM

Ok well I am doomed,

I have same duplicate users in some forests and domains :

europe\bob , asia\bob and america\bob ... which of course aren't same people ....

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2021 - Palo Alto Networks