This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

User-ID Group Mapping not working in a security policy

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-ID Group Mapping not working in a security policy

Go to solution
GeorgePalo
L2 Linker

‎05-06-2021 12:30 PM

Hi,

 

I have searched and found similar posts but none seem to have a working solution for this...

 

I have a simple security policy to deny access to a VM located in the 'trust' zone if it matches a user in the user group created on the AD server.

 

I've confirmed with 'show user group name' that the firewall can indeed see the correct users in the group but when applying that group to the deny policy i'm not getting a hit.

 

 

any ideas?

 

Thanks,

 

 

2 people had this problem.
0 Likes Likes
18 REPLIES 18

Go to solution
GeorgePalo
L2 Linker
In response to Mick_Ball

‎05-07-2021 09:05 AM

Holy moly it worked.

 

I added the domain in the auth profile and left the username modifier as the default.

 

I tried this yesterday but changed the modifier to %USERDOMAIN%/%USERINPUT% and it didn't work.

 

Thanks all for your help on this.

Go to solution
alvaroarcaz
L1 Bithead
In response to Mick_Ball

‎07-14-2022 10:21 AM

Hi

 

Let me know if there is a way to remove the domain name from the group mapping

 

In my case:

show user group name emea.com\test

short name: emea.com\test

source type: ldap
source: test

[1 ] emea.com\test1
[2 ] emea.com\test2
[3 ] emea.com\test3

 

i only need from the group mapping the name "test1 or "test2" or "test3"

 

The reason why is because i get from external source on palo alto the user id test1 or "test2" or "test3"

The goal is create a policy rule base on the source user that is being part of a domain group

 

i expend hours and there is no way to understand or found the reason why palo alto get from ldap group mapping "domain name + name" 

 

0 Likes Likes

Go to solution
alvaroarcaz
L1 Bithead
In response to Mick_Ball

‎07-14-2022 10:26 AM

Hi

 

Please could you detail this a bit? I had a similar situation and not follow what is your solution even on the original post!

 

Thanks!

0 Likes Likes

Go to solution
JScottNaviH
L1 Bithead

‎04-20-2023 10:00 AM

I'm experiencing a similar situation where using the internal USER-ID agent and mapping to three (3) server monitor domain controllers. Recently a user was denied access, and when searching the monitor traffic I noticed the there was no user mapping associated with the traffic. However, when I search the monitor>User ID, it shows that the firewall new of a user-mapping between I and user during that specific time.

 

note: When looking at monitor > User ID, I do notice that of the 3 server monitor, the user mapping only sources from 2 of the 3 domain controllers. 

 

If anyone can provide some insight, this would be helpful. Thanks. 

0 Likes Likes
  • 24007 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks