Using AD Groups in Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Using AD Groups in Panorama

Hi all,

Is it possible to use AD groups in Panorama reports and monitoring? We have successfully configured user-id and group mapping on our devices, and we can utilize user id in Panorama as well. What I have not been able to do is use AD groups in Panorama. I get the "unknown group" error. I have seen a couple of threads discussing Panorama getting the group mapping from the Master Device in the device group, but I have not seen this to be the case for us. We are new to the product, so any help is greatly appreciated. We are running 4.1.6 on devices and Panorama, and 4.1.2 user-id agents.

Thanks,

Russ

1 accepted solution

Accepted Solutions

Panorama does not store the user to group membership today since this can differ across devices. This will depend on the AD setup and how it maps to agents across the deployed devices. Please follow up with your local SE to file a feature request for the potential addition of this functionality in a future release.

Today you can setup a scheduled report in Panorama that utilizes a device DB, instead of a Panorama DB. This will cause Panorama to send the device a report definition which will cause a statistics file to be sent hourly from the device to Panorama. The stats file will be used when the report is run to aggregate the data. This approach gets around the limitation of HDD/SSD space on the device causing data to be missing if data is rolling faster than the report period.

Panorama can run an adhoc report utilizing a device DB if the device contains enough data for the reporting period. This means that the report will not need to be scheduled in advance.

View solution in original post

3 REPLIES 3

L6 Presenter

Hi...The AD groups in Panorama is using the Master Device in the device group to retrieve.  You may want to extend the timeout settings for the connections between Panorama and the device from 20 sec (default)  to a longer value like 60 sec.  Maybe the communication is timing out.  Thanks.

Thanks for the info. THis helped us with using groups in our security policies, but Support has told us that AD Group reporting is not supported on Panorama at this time. If anyone has a different experience, we would love to hear about it. It really makes panormama a lot less useful if you can't use the aggregate reporting functions across multiple devices. This is especially true if you are using the devices in a redundant ISP model but do not have them confgured in HA.

Panorama does not store the user to group membership today since this can differ across devices. This will depend on the AD setup and how it maps to agents across the deployed devices. Please follow up with your local SE to file a feature request for the potential addition of this functionality in a future release.

Today you can setup a scheduled report in Panorama that utilizes a device DB, instead of a Panorama DB. This will cause Panorama to send the device a report definition which will cause a statistics file to be sent hourly from the device to Panorama. The stats file will be used when the report is run to aggregate the data. This approach gets around the limitation of HDD/SSD space on the device causing data to be missing if data is rolling faster than the report period.

Panorama can run an adhoc report utilizing a device DB if the device contains enough data for the reporting period. This means that the report will not need to be scheduled in advance.

  • 1 accepted solution
  • 2683 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!