- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-22-2012 05:44 PM
Hi all,
Is it possible to use AD groups in Panorama reports and monitoring? We have successfully configured user-id and group mapping on our devices, and we can utilize user id in Panorama as well. What I have not been able to do is use AD groups in Panorama. I get the "unknown group" error. I have seen a couple of threads discussing Panorama getting the group mapping from the Master Device in the device group, but I have not seen this to be the case for us. We are new to the product, so any help is greatly appreciated. We are running 4.1.6 on devices and Panorama, and 4.1.2 user-id agents.
Thanks,
Russ
06-26-2012 07:59 AM
Panorama does not store the user to group membership today since this can differ across devices. This will depend on the AD setup and how it maps to agents across the deployed devices. Please follow up with your local SE to file a feature request for the potential addition of this functionality in a future release.
Today you can setup a scheduled report in Panorama that utilizes a device DB, instead of a Panorama DB. This will cause Panorama to send the device a report definition which will cause a statistics file to be sent hourly from the device to Panorama. The stats file will be used when the report is run to aggregate the data. This approach gets around the limitation of HDD/SSD space on the device causing data to be missing if data is rolling faster than the report period.
Panorama can run an adhoc report utilizing a device DB if the device contains enough data for the reporting period. This means that the report will not need to be scheduled in advance.
06-23-2012 08:05 AM
Hi...The AD groups in Panorama is using the Master Device in the device group to retrieve. You may want to extend the timeout settings for the connections between Panorama and the device from 20 sec (default) to a longer value like 60 sec. Maybe the communication is timing out. Thanks.
06-26-2012 06:30 AM
Thanks for the info. THis helped us with using groups in our security policies, but Support has told us that AD Group reporting is not supported on Panorama at this time. If anyone has a different experience, we would love to hear about it. It really makes panormama a lot less useful if you can't use the aggregate reporting functions across multiple devices. This is especially true if you are using the devices in a redundant ISP model but do not have them confgured in HA.
06-26-2012 07:59 AM
Panorama does not store the user to group membership today since this can differ across devices. This will depend on the AD setup and how it maps to agents across the deployed devices. Please follow up with your local SE to file a feature request for the potential addition of this functionality in a future release.
Today you can setup a scheduled report in Panorama that utilizes a device DB, instead of a Panorama DB. This will cause Panorama to send the device a report definition which will cause a statistics file to be sent hourly from the device to Panorama. The stats file will be used when the report is run to aggregate the data. This approach gets around the limitation of HDD/SSD space on the device causing data to be missing if data is rolling faster than the report period.
Panorama can run an adhoc report utilizing a device DB if the device contains enough data for the reporting period. This means that the report will not need to be scheduled in advance.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!