03-04-2013 11:49 AM
Hi,
I'm about to deploy two PA-5060s in HA, and I am configuring everything from Panorama. When it comes to the Group Mapping on Panorama, the UI is different than it is on the firewalls.
On Panorama:
On the firewall:
Any input is appreciated.
Thanks,
Alex
03-04-2013 01:48 PM
So what I am to understand is that I have to type in something like:
cn=information systems dept,ou=information systems,ou=users,ou=cec,DC=domain,DC=com
into the M-100 and hope that it's right, as opposed to being able to browse the structure tree like I can on the firewall. What if I make a mistake? How am I supposed to have all this information handy? Does this mean that the easiest way is to do it on the firewall and then copy all that information manually to Panorama?
I suppose my question still stands....why are they different?
Alex
Now shamelessly accepting all friend requests, until the first 72.
03-04-2013 11:58 AM
Available Groups are not visible as Panorama is not equipped with pulling the User-Group info directly from the AD.
The User-ID information is pulled up on the Panorama using Master Device in the device group.
-Ameya
03-04-2013 12:22 PM
I called support and they told me that the firewall will not push information to Panorama. What are you basing this information on?
Alex
03-04-2013 12:48 PM
This is the response that I just received from Support:
Under template we will have to manually configure LDAP settings and push to the device. It will not self populate. We will need base and bind information handy before configuring. When you push those templates to device, then you will be able to pull group information. Group mapping settings templates are different on Panorama and device by design. While pushing it as a template, you will need to have group information ready. Once you push it to the device, it will appear in same format as device's group mapping setting. You can override the setting and edit it later if you want to.
I still don't understand why they removed the handy Available Groups window, and would love an official answer to this.
Alex
03-04-2013 01:40 PM
Panorama has always pulled up the User-Id info from the Master Device in the Device Group for use in policies.
It still does not have the capacity to interact with the AD directly.
Excerpt from Help :"Group Mappings Settings tab—Specify settings to support mappings that associate users with user groups. User group mapping is performed by the firewall"
03-04-2013 01:48 PM
So what I am to understand is that I have to type in something like:
cn=information systems dept,ou=information systems,ou=users,ou=cec,DC=domain,DC=com
into the M-100 and hope that it's right, as opposed to being able to browse the structure tree like I can on the firewall. What if I make a mistake? How am I supposed to have all this information handy? Does this mean that the easiest way is to do it on the firewall and then copy all that information manually to Panorama?
I suppose my question still stands....why are they different?
Alex
Now shamelessly accepting all friend requests, until the first 72.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
