Using Users instead of Groups in Policies - Help please

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Using Users instead of Groups in Policies - Help please

L1 Bithead

Hello all,

 

I'm new to PA but I'm really enjoying it...anyway, I've read everything I could find aboud group mappings, and one very good link is https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-User-ID/ta-p/69321 .. but it only show how to use a group in a policy.

 

Is it possible to use a "user" instead of a group in a policy? It seems I can only manage to retreive group info (user-id ip mappings are working through an Agent).

 

Thank you

1 accepted solution

Accepted Solutions

Ok, I feel ashamed now..... It was working all along,  I just needed to start typing the username for it to recognize because by default the users don't appear on the list :|:|:|:|:| Not really intuitive 😕 .. days lost!!!

 

user.png

 

I really appreciated your help on this guys, sorry for the wasted time.

 

Best regards

View solution in original post

8 REPLIES 8

L6 Presenter

Yes, I'm able to build a security policy using a specific user ID and not just a security group.

Thank you for your reply Brandon, can you please elaborate a bit more on how you did it? Am I missing something ? On the Staff group I have users inside (Staff1, etc)

 

GroupMapping.pngspolicyrule.pngGroupMappingConf.png

 

Thank you in advance

 

 

Generally speaking you would want to include the user domain in your Server Profile, it looks like you would have zearthlink. Try giving that a shot and see if it gives you options to your user list; it may also be a good idea to verify that you actually have the right permissions setup, PAs require more permissions then most server admins would feel is necessary so often times I see them not actually have every permission that they need. 

Yeah like @BPry said, I didn't have to do it from the group mapping, it's all probably because of a lack of permissions on the account you're using in the Palo to query AD.  When I create a new security rule I'm able to just enumerate the domain and find the correct user accounts that are necessary.

Thank you Bpry for your comment. Unfortunately it didn't sort the issue out.

 

As for the account permissions, its the same I use for the user agent:

 

panadminproperties.pnguserip.png

 

I even already tried with the "administrator" account (it's only a lab so not really a concern 🙂 ) without success. 

 

If anyone have another idea please share it

 

Thank you in advance

It really sounds like you just don't have something configured properly on the AD side of things. Have you modified the properties on CIMV2 in WIM, have you actually enabled User Identification on the actual zone (this would explain why your accounts listed can't be used)? If you run show user ip-user-mapping all do you actually get anything listed or does nothing show up? You could verify well have multiple issues here that are masquerading as one 

Hello Bpry,

 

thank you for getting back to me again. I have user identification enabled on LAN, gave FULL permissions to the panadmin account and even tried the administrator account:

 

zoneuserid.pngCIMV2.pnguserip.png

 

I can see the user logged (staff1) and it's ip address but still can't filter by users, just groups 😕

 

Thank you in advance

Ok, I feel ashamed now..... It was working all along,  I just needed to start typing the username for it to recognize because by default the users don't appear on the list :|:|:|:|:| Not really intuitive 😕 .. days lost!!!

 

user.png

 

I really appreciated your help on this guys, sorry for the wasted time.

 

Best regards

  • 1 accepted solution
  • 3147 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!