08-31-2012 03:10 AM
I've got a PA500 pair with 4.1.7 where PAN agent has been replaced with group mapping, whereby I now need to install a user-id agent instead of the PAN agent to get any user details in the logs and use in policy (is that statement correct?)
I'm having a few problems,
* user accounts to IP devices seem to pick up the wrong one, from what I can think of its AV using a service account that changes the name of the user account, not 100% sure. So I see a lot of "service" usernames hitting my firewall log and thus my user policy does not apply.
* even though I've got a group defined on a policy rule that the specific user applies to and I can see in the monitor logs that this specific user tries to connect with it's src IP to dst IP but misses the rule and goes into my explicit drop rule. I've looked in the CLI to see if the PA know's what users apply to this rule and I can see the users populated there.
The rule looks like this:
Source Zone: Trust
Destination Zone: Untrust
User: usergroup
Application: ms-rdp,t.120,rdp2tcp
Rest left at their defaults
I kick off an RDP from a Trust location to Untrust and I see in the logs it's hitting my explicit drop rule. As soon as I take the user group out of the policy it hits the rule. So I'm a bit confused.
How can I further troubleshoot this and where can I fix it? The Userid agent is residing on the same server that still has the PAN agent (so had to change the listener port from 8888 and also the PA to another port, they connect fine to both LDAP and the userid agent but the information that the Userid agent picks up is not always correct.)
09-03-2012 09:17 AM
Hello,
Your statement is indeed correct .
Under the LDAP configuration:- Device--->LDAP is the domain field empty or have you put in the entire domain name. If so please change it to the netbios name for ex:- abcd.com, doamin field should be set as abcd.
Please let us know if this works.
.
Thank you.
Subijith Raghunandan.
09-03-2012 07:30 AM
So update, it works with a specific username if I type: DOMAIN\USERNAME it does not work if I use the full CN path to the username and specific groups is not working either. Confused to where I should be troubleshooting this, any input would be greatly appriciated.
09-03-2012 09:17 AM
Hello,
Your statement is indeed correct .
Under the LDAP configuration:- Device--->LDAP is the domain field empty or have you put in the entire domain name. If so please change it to the netbios name for ex:- abcd.com, doamin field should be set as abcd.
Please let us know if this works.
.
Thank you.
Subijith Raghunandan.
09-04-2012 12:05 AM
It was set with the domain name (domain.com example) I've changed it now, I did think that the group mapping that uses the ldap server profile was working since I could see the groups populated on the firewall policy.
Best Practices using LDAP Servers
• If the underlying directory is Active Directory, make sure the “Domain” field of the LDAP Server matches the NETBIOS name of the domain.
^ Did actually read that but must have gotten confused along the way, created a funny problem. Shame it was "working" but not if you understand, makes it harder to troubleshoot 😉
It's "all" working now, maybe you have some answer to my other query since you helped greatly with that little change 
09-04-2012 12:14 AM
Just a quick note that I noticed. After I changed the domain name to NETBIOS name I no longer could get the groups from the within the policy. The group filter under group mappings was empty could only see the base dn. I deleted the group mappings and created it again and I could then see the groups once more. 
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
