This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Using Users instead of Groups in Policies - Help please

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Using Users instead of Groups in Policies - Help please

Go to solution
zearth
L1 Bithead

‎08-24-2016 10:08 AM

Hello all,

 

I'm new to PA but I'm really enjoying it...anyway, I've read everything I could find aboud group mappings, and one very good link is https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-User-ID/ta-p/69321 .. but it only show how to use a group in a policy.

 

Is it possible to use a "user" instead of a group in a policy? It seems I can only manage to retreive group info (user-id ip mappings are working through an Agent).

 

Thank you

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
zearth
L1 Bithead
In response to zearth

‎08-25-2016 09:33 AM

Ok, I feel ashamed now..... It was working all along,  I just needed to start typing the username for it to recognize because by default the users don't appear on the list :|:|:|:|:| Not really intuitive 😕 .. days lost!!!

 

user.png

 

I really appreciated your help on this guys, sorry for the wasted time.

 

Best regards

View solution in original post

0 Likes Likes
8 REPLIES 8

Go to solution
Brandon_Wertz
L6 Presenter

‎08-24-2016 11:44 AM

Yes, I'm able to build a security policy using a specific user ID and not just a security group.

0 Likes Likes

Go to solution
zearth
L1 Bithead
In response to Brandon_Wertz

‎08-24-2016 11:51 AM

Thank you for your reply Brandon, can you please elaborate a bit more on how you did it? Am I missing something ? On the Staff group I have users inside (Staff1, etc)

 

GroupMapping.pngspolicyrule.pngGroupMappingConf.png

 

Thank you in advance

 

 

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to zearth

‎08-24-2016 12:47 PM

Generally speaking you would want to include the user domain in your Server Profile, it looks like you would have zearthlink. Try giving that a shot and see if it gives you options to your user list; it may also be a good idea to verify that you actually have the right permissions setup, PAs require more permissions then most server admins would feel is necessary so often times I see them not actually have every permission that they need. 

0 Likes Likes

Go to solution
Brandon_Wertz
L6 Presenter
In response to zearth

‎08-24-2016 01:25 PM

Yeah like @BPry said, I didn't have to do it from the group mapping, it's all probably because of a lack of permissions on the account you're using in the Palo to query AD.  When I create a new security rule I'm able to just enumerate the domain and find the correct user accounts that are necessary.

0 Likes Likes

Go to solution
zearth
L1 Bithead
In response to BPry

‎08-24-2016 01:26 PM

Thank you Bpry for your comment. Unfortunately it didn't sort the issue out.

 

As for the account permissions, its the same I use for the user agent:

 

panadminproperties.pnguserip.png

 

I even already tried with the "administrator" account (it's only a lab so not really a concern 🙂 ) without success. 

 

If anyone have another idea please share it

 

Thank you in advance

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to zearth

‎08-25-2016 08:20 AM

It really sounds like you just don't have something configured properly on the AD side of things. Have you modified the properties on CIMV2 in WIM, have you actually enabled User Identification on the actual zone (this would explain why your accounts listed can't be used)? If you run show user ip-user-mapping all do you actually get anything listed or does nothing show up? You could verify well have multiple issues here that are masquerading as one 

0 Likes Likes

Go to solution
zearth
L1 Bithead
In response to BPry

‎08-25-2016 09:09 AM

Hello Bpry,

 

thank you for getting back to me again. I have user identification enabled on LAN, gave FULL permissions to the panadmin account and even tried the administrator account:

 

zoneuserid.pngCIMV2.pnguserip.png

 

I can see the user logged (staff1) and it's ip address but still can't filter by users, just groups 😕

 

Thank you in advance

0 Likes Likes

Go to solution
zearth
L1 Bithead
In response to zearth

‎08-25-2016 09:33 AM

Ok, I feel ashamed now..... It was working all along,  I just needed to start typing the username for it to recognize because by default the users don't appear on the list :|:|:|:|:| Not really intuitive 😕 .. days lost!!!

 

user.png

 

I really appreciated your help on this guys, sorry for the wasted time.

 

Best regards

0 Likes Likes
  • 1 accepted solution
  • 3656 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks