Want to create a security policy based on domain user group.

jbaublitz · ‎09-13-2012

Hi, I would like to set up a security policy based on a group a user belongs to on my AD. I've set up the LDAP, and USER ID client on the server, but when I go to create the security rule, nothing shows up in the add box for the user. Even if I click the drop down, or start to type the domain/username info. I'm thinking I missed a step, or something. Can anyone recommend somethings I should check, or point me in the direction of some good documents?

Thanks!!

jbaublitz · ‎09-24-2012

Got it working... The problem was the PAN box was set to Proxy the groups from the agent to the Box. Support went in and turned off the proxy, and all the groups showed up... Thanks for everyone's help and advice.

Jeff

View solution in original post

sdurga · ‎09-13-2012

Here is a document that explains how to configure User-ID agent and the LDAP server group mappings.

https://live.paloaltonetworks.com/docs/DOC-3120

If you have all the configuration set according to the document. I would ask you to check whether the firewall is actually pulling the user-groups information. This can be verified with the command " show user group-mapping state all" . If you are able to see all the groups information in the output then the group mapping is working properly. So you might want to try using different browsers to create security rules and see if it helps.

Thanks,

Sandeep T

Ameya-Kawimandan · ‎09-13-2012

If the firewall isn't showing User Info:

Verify if the Agent is the User-Mapping :

CLI command to verify User-IP Mapping (Done by User-Id Agent)

>show user ip-user-mapping

If you see this command not showing IP-User Mapping :

Check if the Agent is connected also verify if you see Discovered Users on the Agent (Monitor).

Refer:

User Identification Initial Setup

https://live.paloaltonetworks.com/docs/DOC-3664

If IP-User Mapping is being done as expected verify LDAP config for User-Group Mapping

CLI command to verify User-Group Mapping (Done by Firewall via LDAP)

Enlists Users in the group (Included Groups in LDAP/All if No Included Groups configured)

>show user group name <value>

User Identification Tech Note PAN-OS 4.1

https://live.paloaltonetworks.com/docs/DOC-3120

-Ameya

sdurga · ‎09-13-2012

You can also try resetting the user-id manager with the command "debug user-id reset user-id manager type all" and also "debug software restart user-id" from the cli

Sandeep T

jbaublitz · ‎09-14-2012

Hi Guys,

Thanks for the suggestions and help.

Looks like my PAN box is mapping users to IP's.

Here is what I see what I run show user ip-user-mapping:

IP Ident. By User Idle Timeout (s) Max. Timeout (s)

--------------- --------- -------------------------------- ---------------- ----------------

10.2.131.95 AD in\amorse 3499 3499

10.134.193.219 AD in\kwoodward 3499 3499

10.130.193.238 AD in\bucstudent 3499 3499

When I run: show user group list

I don't get anything back. I'm thinking this is where the problem is.

This looks odd to me too:

show user group-mapping state all

Group Mapping(vsys1, type: active-directory): test

Bind DN : PANBOX@IN.SCU.K12.CA.US

Base : DC=in,DC=scu,DC=k12,DC=ca,DC=us

Group Filter: (None)

User Filter: (None)

Servers : configured 1 servers

10.1.20.112(3268)

Proxy state: QUERY_SENT (no result back from agent)

Query agent: ADMASTER2

Result from:

Last Action Time: (Never)

Next Action Time: In 2 secs

Number of Groups: 0

Thanks again for everyone's support! Can't wait to get this going!

Jeff

Want to create a security policy based on domain user group.

Want to create a security policy based on domain user group.

Show your appreciation!