User/Group based policy questions

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

User/Group based policy questions

Hi,

I have a need to configured user/group based policy. I having difficulties with the same and have multiple questions. I hope someone will help me with the configuration.

1. We push all our policies from Panorama. Can I configure user/group based policy on Panorama and push to all firewalls?

2. I have pushed the LDAP config from Panorama to all firewalls. Can I use the same in group mapping?

3. Do I need to configure group mapping before using the group or users in that group in the policy?

4. I have a scenario wherein I have configured local LDAP profile along with the Panorama pushed one. Although I can browse the group and create the group mapping, I cannot find any users which are part of that group from CLI

5. I have also found out that PA firewalls have issue browsing distribution groups. It can find security groups in active directory without any problem. Did anyone come across the same or know this limitation?

I already have a support case open however there is no resolution yet.

Thanks in advance.

Highlighted
L4 Transporter

I managed to pass the first hurdle. Pushing user-id/group based policies via Panorama is possible. Under Panorama -> Device Groups -> There is an option called as "Master Device" (refer screenshot below). If you add a device here and if that device has the LDAP, Group Mapping etc. configured then Panorama can pull the user/group information from it. I was able to create an active directory group based policy via Panorama. Now the next pending is, do I need to have Group Mapping created on the individual device where the policy is pushed.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!