I have searched and found similar posts but none seem to have a working solution for this...
I have a simple security policy to deny access to a VM located in the 'trust' zone if it matches a user in the user group created on the AD server.
I've confirmed with 'show user group name' that the firewall can indeed see the correct users in the group but when applying that group to the deny policy i'm not getting a hit.
Yes the user has an IP mapping.
The user is accessing via GlobalProtect VPN which drops the user into 'VPN_Zone'. There's no issues with VPN connectivity and the user can access everything in the 'trust' zone which I can confirm in the logs. Yes their username is showing under 'src user'.
I then place a rule above the 'allow all' rule I have for VPN users to access resources in the 'trust zone'.
This deny rule to block access to a specific IP address contains the users group on the AD directory. The same group that contains the user that is connected via the VPN successfully.
It sounds like there may be a mismatch between IP and group mapping.
Please check the domain/username formats between:
> Show user Ip-user-mapping all
> Show user user-ids all
And are you overriding domain in the auth profile or group mapping settings? Is so, are they set to the same thing? If not, you may need to override one or the other.
The output of the commands you recommended shows that the user with the IP address is indeed the same as the user in the AD group. All output is as expected. This is a lab setup so I only have one group and I can see the username is correct.
No I'm not overriding domain in auth profile or group mapping. I thought the firewall automatically detected the domain from the server profile? I've left 'User Domain' blank and 'Username Modifier' as the default '%USERINPUT%' in auth profile and group mapping.
If I enter the domain in the auth profile 'User Domain' field then it messes up the VPN setup and the user can no longer connect.
At the moment the user authenticates to the LDAP server successfully when connecting via GlobalProtect and can access resources on the network. This tells me there is nothing wrong with reaching the AD server and authenticating the user in the user group. The user gets an IP and can access resources.
When logged in as the user via the GlobalProtect VPN I can see in the traffic log it's successfully showing the correct 'source user' as I connect to different network resources.
What I don't understand why is if I then try to create a rule blocking that user from accessing a specific IP on the network it doesn't work. I know the rule is working because if I remove the 'Source User' part of the rule I get hits and it shows the correct user in the log.
At present anyone connecting in via VPN can access the network via an 'allow any' rule from 'SSL_VPN' zone to the 'trust' zone.
I've placed a rule above that rule to deny access to one IP address on the network if the source user is in the 'hpslab\globalprotect-vpnusers' group. This group has been pulled from the AD server and contains the user that I'm logged in via the VPN to test with.
So as it stands at the moment I can still access the '192.168.50.1' IP and the deny rule isn't working.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!