Unable to assign Security Policy to Users or Groups

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Unable to assign Security Policy to Users or Groups

L3 Networker

Hi -

We are using User-ID Agents to create user-to-IP mappings and I've got group mapping configured on the firewall itself and I can browse through my ldap groups.  However, when I go to Policies > Security Policy I am unable to select either individual users OR groups to assign the policy to... Nothing populates.  Am I missing something somewhere?  Seems like it would be straight forward after configuring group mapping.  Thanks!

19 REPLIES 19

L6 Presenter

what's the output for the following?

admin@PA-200> show user group-mapping state all

L6 Presenter

what panos version are you using ?

if you configured user id,ldap and group mapping.and also enabled user-id on a zone

you should see users on monitor tab traffic logs.

if everythins is ok and you can't see user/group on security rule

reboot the device if you can, you'll see groups and users on security rule after that.

admin@UTM21-LAB-2-B(active)> show user group-mapping state all

<response status="success"><result>
Group Mapping(vsys1, type: active-directory): Group_Mapping (job 749073)
        Bind DN    : cn=ldap-alt-paloalto,ou=users,o=alticor
        Base       : ou=groups,o=alticor
        Group Filter: (&(objectCategory=Group)(objectClass=group))
        User Filter: (&(objectCategory=person)(objectClass=user))
        Servers    : configured 1 servers
                ldap-adam-apps.intranet.local(389)
        Proxy state: QUERY_SENT
        Query agent: usnx282
        Result from: usnx282
                Last Action Time: 326 secs ago(took 6 secs)
                Next Action Time: Now (started 156 secs ago)
                Query Local Group Mapping Service:
                        Last Action Time: 326 secs ago(took 6 secs)
                        Next Action Time: Now (started 156 secs ago)
        Number of Groups: 0
</result></response>

I don't see any groups being pulled. If you're not filtering groups, we should be able to pull all groups in your AD as shown below.

Group Mapping(vsys1, type: active-directory): amb

        Bind DN    : renato@amb.local

        Base       : DC=amb,DC=local

        Group Filter: (None)

        User Filter: (None)

        Servers    : configured 1 servers

                172.16.20.23(389)

                        Last Action Time: 1 secs ago(took 0 secs)

                        Next Action Time: In 3599 secs

        Number of Groups: 42

        cn=administrators,cn=builtin,dc=amb,dc=local

        cn=domain controllers,cn=users,dc=amb,dc=local

        cn=remote desktop users,cn=builtin,dc=amb,dc=local

        cn=distributed com users,cn=builtin,dc=amb,dc=local

        cn=incoming forest trust builders,cn=builtin,dc=amb,dc=local

        cn=certificate service dcom access,cn=builtin,dc=amb,dc=local

What does the ldap server profile look like? Grep after the output is displayed on your ssh terminal with the following: "/ldap" and "/group-mapping"

admin@PA-200> show config running

     ldap {

        amb {

          server {

            amb {

              port 389;

              address 172.16.20.23;

            }

          }

          ldap-type active-directory;

          base DC=amb,DC=local;

          bind-dn renato@amb.local;

          timelimit 30;

          bind-timelimit 30;

          bind-password -

          ssl no;

          domain amb;

  group-mapping {

            amb {

              group-object group;

              group-name name;

              group-member member;

              user-object person;

              user-name sAMAccountName;

              disabled no;

              server-profile amb;

As pointed out in the previous comment, there are no groups being pulled.

Looks like you are using the userID agent for "LDAP Proxy" to query for groups. Does the management interface of the firewall have connectivity to the domain controllers? If so, can you please try to uncheck the "LDAP proxy" checkbox on the userID agent (Device>User identification>User ID agents) and see if groups get pulled?

L6 Presenter

can you see groups on group mapping tab or not ?

rkalugdan I have to apologize - I'm not familiar with running the grep command from the CLI.  Can you provide the syntax?  I'm on 5.0.4

L3 Networker

Yes, I can see groups on the group mapping tab.

I initially had the Use LDAP Proxy box unchecked.  I checked it as a way to try to resolve this issue.

so you're now using the user-id agent as an ldap proxy to pull groups. possibly will need to review your ldap server profile to get a better understanding of the issue. glad you were able to get a work around implemented.

L3 Networker

rkalugdan -

No, using the user-id agent as an ldap proxy does not work to pull groups.  It's interesting because on the Group Mapping tab (Device > User Identification > Group Mapping Settings > Group Include List), I can see all my ldap groups, browse them, etc.. however, I cannot use any of those groups to assign policy to.

show us the ldap config

can you try to reboot your device ?

L3 Networker

What CLI command will provide the output you're looking for, rkalugdan?

  • 6753 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!