I thought I would share a quick tip for those people that may be considering upgrading from 6.x to 7.x in an environment where you are using Panorama.
In PAN-OS 7.x, the information of your Active Directory domain has been moved from the LDAP settings to the Group Mapping Settings. As the first step in upgrading to 7.x is upgrading your Panorama server, you will immediately notice that this field is no longer available in the template.
This setting has been moved to Group Mappings:
If you push this template to any devices that are running PAN-OS 6.x, the domain field in the LDAP settings will become empty which can cause your users in groups to return the wrong mapping without the domain. In our case, it caused the following to happen:
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
X.X.X.X vsys1 UIA <domain>\mlinsemier 40 40
short name: <domain>\pan-downloads-it
source type: proxy
source: Group Mapping - Domain
[1 ] \mlinsemier
[2 ] \jsmith
[3 ] \jdoe
You will notice that the user names in the Group Mapping are missing the domain portion. This causes any rules that you have setup based on groups not to map correctly.
To fix the issue, you must push your template and then create a local override on each PAN-OS 6.x firewall for each LDAP group and enter your domain.
One thing also to note is that when you upgrade a firewall to PAN-OS 7.x, Panorama may still show that your Templates for that devife a re still '"in Sync" after the upgrade. We didn't re-push the templates after the upgrade to our PAN-OS 7.x firewalls, which meant that the domain field in Group Mapping was blank and caused the same issues. Once we pushed them, the information was populated from the template and all was fixed.
I thought I would share this just in case others are in a similar boat as we were. YMMV.
This actually surfaced as two different TAC cases, Panorama 7.x with PAN-OS 6.x clients and PAN-OS 7.x Group Mappings not working. We had both of them open at the same time (was waiting for more troubleshooting for the initial case), when through troubleshooting myself it dawned on me what was happening.
I did ask TAC to forward this to engineering and also sent this up to my Palo Alto SE to ask him to create a bug for this. In a mixed environment, Panorama will need to know the PAN-OS to determine now to configure LDAP and Group Mapping, which right now I don't know if this is possible.
Anyways, glad it was helpful. I love the Palo Alto product and figured if I can give back to the community to save at least one other engineer hours of troubleshooting, it's a good thing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!