Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PanAgent AD Groups disappear

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PanAgent AD Groups disappear

L2 Linker

Hello all,

We have a strange issue.


Suddenly and without any cause the AD users in our PAN device losses the AD groups that they belong to. This is a huge problem cause the security policies configured by groups does not work.


The strange thing is if we force a commit the problem gets temporally solved until in undefined time it happens again.


The PAN agent seems to be working properly. Here I add some tests we made in CLI.

(IP,domain,users and group names had been modified for privacy)

We always get the same answer from this show when it is working and when the problem/issue appears.

admin@FW_VMXXX(active)> show user pan-agent user-IDs

User Name                       Vsys    Groups

------------------------------------------------------------------

domainA\user1                 vsys1   DomainA\user-group1

                                                  DomainA\user-group2

                                                  DomainA\user-group3

                                                  DomainA\user-group4

                                                  DomainA\user-group5

                                                  DomainA\user-group6

domainA\user2                 vsys1   DomainA\user-group1

domainA\user3                 vsys1   DomainA\user-group4


While we have the problem.

admin@FW_VMXXX(active)> show user ip-user-mapping ip 192.168.x.x

IP address:  192.168.x.x

User:        domainA\user1

Ident. By:   AD

Idle Timeout: 2608s

Max. TTL:    2608s

Groups that user belong to (used in policy)

While is working properly we get:

IP address:  192.168.x.x

User:        domainA\user1

Ident. By:   AD

Idle Timeout: 2366s

Max. TTL:    2366s

Groups that user belong to (used in policy)

Group(s):    DomainA\user-group1

     DomainA\user-group2

     DomainA\user-group3

     DomainA\user-group4

     DomainA\user-group5

     DomainA\user-group6

Many thanks in advance.

Albert








7 REPLIES 7

L6 Presenter

What version of PANOS are you running on the device?

We are running 4.0.1

Hi Albert

It's best to upgrade to 4.0.3 as soon as possible as 4.0.1 did have some issues with userID matching security policies, these issues were addressed in 4.0.3

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Not applicable

We ran into this problem on 4.0.4. Any ideas?

Thought this issue is fix with version 4.03. I hope it did not re-surface with version 4.04.

Part of version 4.03 released note.

[28873] An inconsistency in the user and group mapping database can occur.

We are experiencing this same issue in 4.1.1

L3 Networker

We had this happen also, we run two different domains in the same forest.  We had found that if they had a drive mapping to the other domain, when authentication took place it confused the pan agent and assigned them to a different AD group.  Once those drive mappings had been removed and the user logged off and back on the problem went away.

  • 4174 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!