Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

syntaxt issue with user enumeration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

syntaxt issue with user enumeration

L4 Transporter

Hello

I've an issue on the PANOS 6.0.3

about enumaration of user or group in a security policy

I have to use the complete ldap syntax to found  the user in the user source column

like this

Capture.PNG

and when i tried to browse directly with the select menue

I obtain this

Capture2.PNG

loading but nothing appear

anybody have this issue?

1 accepted solution

Accepted Solutions

L6 Presenter

Before that make sure you can see them in CLI with following command.

>show user group list

If it lists group than, I would suggest to restart management server once and see if that helps.

debug software restart management-server.

If that doesnt help than you might think of configuration changes.

View solution in original post

9 REPLIES 9

L4 Transporter

Hello Gregoux,

You can refer to this document:

Cannot Pull Groups from Active Directory LDAP Server

-Also you can check if the Device>User Identification>Group Mapping Settings>Select the profile>Group Include list, if it is properly pulling the group information and if you have correct groups in the include list(if any).

-You can also try by creating a new group mapping profile to see if that fixes the issue.

-You haven't mentioned if its in panorama or local device. If its panorama, make you have properly selected the master device in the device group because that's where panorama pulls group info from that selected master device.

Regards,

Dileep

L6 Presenter

Hi Gregoux,

In the box type "cn=", it will pull all the groups. Basically you have to type something.

If you leave it blank than it takes more time to populate list. Which depends on management CPU of the box.

group_pull.png

Same with the user name, you have to type user name in the box, It will pull the CN name. User name will never be auto populated like group names. You have to type something. Its by design.

Regards,

Hardik Shah

Hello Gregoux,

Please check if the user groups are being pulled in the CLI:

>show user group list

If it shows up there, it could be a GUI glitch. Try a different browser.

-Dileep

L6 Presenter

try to delete Ldap, commit then add Ldap profile again.

had similar issue but not the same.

L6 Presenter

Before that make sure you can see them in CLI with following command.

>show user group list

If it lists group than, I would suggest to restart management server once and see if that helps.

debug software restart management-server.

If that doesnt help than you might think of configuration changes.

yes I did it work's

I could list all the group but the sintax is cn=bla bla bla

but it's not enough to do it work's

The check box option administrator only is not involve in this case but interresting to know.

I downgrade the PANOS in 6.0.2 and it works just after. think if I just resart the management plane it could be works. typicaly it looks like a delay to enumerate the user and group when i tried to add a user or group in a security policy.

the command show user group -list work's, in panOS 6.0.3 and no specific entry in the release note about this.

thank you very much for all

and sorry for delay to answer.

Hi Gregoux,

I am glad issue is resolved finally. Release note may not have any detailed about this because it may not be a bug. And simple resource utilization issue.

Regards,

Hardik Shah

  • 1 accepted solution
  • 5455 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!