06-25-2020 10:31 PM
Hi,
I have two PaloAlto 3020 in an active-passive cluster. PanOS 8.1.11 is nstalled on both. Everything works correctly, internal traffic, traffic from GP Client, vpn tunnels. GP clinets connect, sends HIPs, Palo recieves this HIPs, traffic is passing trough according to rules.
The problem is that when I updated one cluster node from version 8.1.11 to 8.1.12 (but checked 8.1.13, add 9.0.8 also) and switch active node to this, using newer software, traffic from the GP client is not passing trough.
The GP client connects, sends HIPs, Palo recieves this HIPs, but GP traffic does not pass. And there are no traffic logs from GP clients.
The update passed without errors and internal traffic works correctly. Everything except GP traffic.
Does enybody have suggestions what coud be a problem?
Greetings
Jacek
07-15-2020 01:11 AM
Hi guys,
Problem solved.
I had to change two things. First, as described in this article https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-users-to-groups.html, I had to add Alternate Username 1: userPrincipalName (in my old settings this field was empty).
And secondly, I needed to change Authentication Profile.
Type: LDAP
Login Attribute: userPrincipalName
User domain: dom (lower case, pre-win 2000 format) (was domain.local)
Username Modifier: %USERINPUT% (was %USERINPUT%@%USERDOMAIN% )
Thank you for your help.
Greetings
Jacek
06-26-2020 03:50 AM
Hello @Jacek_Loszewski
Check for the user names listed in the logs (compare it with the ones from the working PAN). If the user name (format) is not different, then you need to adjust the authentication profile.
06-29-2020 12:54 AM
@JoergSchuetter- thank you for your reply. You were right. There is a problem with format of the user names.
domain: acme.local - UPN: user@acme.local
domain name (pre-win200) is: Dom so sAMAccountName format is: Dom\user
When active node is the one with older software, in HIP log, we have user name in sAMAccountName format- everything working fine.
When we switch the active node (to the one with newer software) and make a GP connection we have something like this: acme.local\user
And thats why traffic in not passing trough the policy rules. So, as you say, we need adjust authentication profile.
I don't know how yet, but I hope it will work soon 🙂
Greetings
Jacek
06-29-2020 02:49 AM
Hello @Jacek_Loszewski
I have set the following on my authentication profile (Kerberos):
Realm: ACME.LOCAL (all in capital letters)
User Dmonain: dom (we have all in lower case, not sure if Dom would also work)
Username Modifier: %USERINPUT%@ACME.LOCAL
Joerg
07-15-2020 01:11 AM
Hi guys,
Problem solved.
I had to change two things. First, as described in this article https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-users-to-groups.html, I had to add Alternate Username 1: userPrincipalName (in my old settings this field was empty).
And secondly, I needed to change Authentication Profile.
Type: LDAP
Login Attribute: userPrincipalName
User domain: dom (lower case, pre-win 2000 format) (was domain.local)
Username Modifier: %USERINPUT% (was %USERINPUT%@%USERDOMAIN% )
Thank you for your help.
Greetings
Jacek
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
