- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-08-2011 05:34 AM
Hello all,
We have a strange issue.
Suddenly and without any cause the AD users in our PAN device losses the AD groups that they belong to. This is a huge problem cause the security policies configured by groups does not work.
The strange thing is if we force a commit the problem gets temporally solved until in undefined time it happens again.
The PAN agent seems to be working properly. Here I add some tests we made in CLI.
(IP,domain,users and group names had been modified for privacy)
We always get the same answer from this show when it is working and when the problem/issue appears.
admin@FW_VMXXX(active)> show user pan-agent user-IDs
User Name Vsys Groups
------------------------------------------------------------------
domainA\user1 vsys1 DomainA\user-group1
DomainA\user-group2
DomainA\user-group3
DomainA\user-group4
DomainA\user-group5
DomainA\user-group6
domainA\user2 vsys1 DomainA\user-group1
domainA\user3 vsys1 DomainA\user-group4
While we have the problem.
admin@FW_VMXXX(active)> show user ip-user-mapping ip 192.168.x.x
IP address: 192.168.x.x
User: domainA\user1
Ident. By: AD
Idle Timeout: 2608s
Max. TTL: 2608s
Groups that user belong to (used in policy)
While is working properly we get:
IP address: 192.168.x.x
User: domainA\user1
Ident. By: AD
Idle Timeout: 2366s
Max. TTL: 2366s
Groups that user belong to (used in policy)
Group(s): DomainA\user-group1
DomainA\user-group2
DomainA\user-group3
DomainA\user-group4
DomainA\user-group5
DomainA\user-group6
Many thanks in advance.
Albert
07-08-2011 08:54 AM
What version of PANOS are you running on the device?
07-11-2011 05:49 AM
Hi Albert
It's best to upgrade to 4.0.3 as soon as possible as 4.0.1 did have some issues with userID matching security policies, these issues were addressed in 4.0.3
regards
Tom
08-24-2011 09:17 AM
Thought this issue is fix with version 4.03. I hope it did not re-surface with version 4.04.
Part of version 4.03 released note.
[28873] An inconsistency in the user and group mapping database can occur.
01-16-2012 05:48 AM
We are experiencing this same issue in 4.1.1
01-18-2012 09:57 AM
We had this happen also, we run two different domains in the same forest. We had found that if they had a drive mapping to the other domain, when authentication took place it confused the pan agent and assigned them to a different AD group. Once those drive mappings had been removed and the user logged off and back on the problem went away.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!