Why is Group Mapping Different in M-100?

Reply
L3 Networker

Why is Group Mapping Different in M-100?

Hi,

I'm about to deploy two PA-5060s in HA, and I am configuring everything from Panorama. When it comes to the Group Mapping on Panorama, the UI is different than it is on the firewalls.

On Panorama:

GM1.png

On the firewall:

GM2.png

Any input is appreciated.

Thanks,

Alex


Accepted Solutions
L3 Networker

So what I am to understand is that I have to type in something like:

cn=information systems dept,ou=information systems,ou=users,ou=cec,DC=domain,DC=com

into the M-100 and hope that it's right, as opposed to being able to browse the structure tree like I can on the firewall. What if I make a mistake? How am I supposed to have all this information handy? Does this mean that the easiest way is to do it on the firewall and then copy all that information manually to Panorama?

I suppose my question still stands....why are they different?

Alex

Now shamelessly accepting all friend requests, until the first 72.

View solution in original post


All Replies
L5 Sessionator

Available Groups are not visible as Panorama is not equipped with pulling the User-Group  info directly from the AD.

The User-ID information is pulled up on the Panorama using Master Device in the device group.

-Ameya

L3 Networker

I called support and they told me that the firewall will not push information to Panorama. What are you basing this information on?

Alex

L3 Networker

This is the response that I just received from Support:

Under template we will have to manually configure LDAP settings and push to the device. It will not self populate. We will need base and bind information handy before configuring. When you push those templates to device, then you will be able to pull group information. Group mapping settings templates are different on Panorama and device by design. While pushing it as a template, you will need to have group information ready. Once you push it to the device, it will appear in same format as device's group mapping setting. You can override the setting and edit it later if you want to.

I still don't understand why they removed the handy Available Groups window, and would love an official answer to this.

Alex

L5 Sessionator

Panorama has always pulled up the User-Id  info from the Master Device in the Device Group for use in policies.

It still does not have the capacity to interact with the AD directly.

Excerpt from Help  :"Group Mappings Settings tab—Specify settings to support mappings that associate users with user groups. User group mapping is performed by the firewall"

L3 Networker

So what I am to understand is that I have to type in something like:

cn=information systems dept,ou=information systems,ou=users,ou=cec,DC=domain,DC=com

into the M-100 and hope that it's right, as opposed to being able to browse the structure tree like I can on the firewall. What if I make a mistake? How am I supposed to have all this information handy? Does this mean that the easiest way is to do it on the firewall and then copy all that information manually to Panorama?

I suppose my question still stands....why are they different?

Alex

Now shamelessly accepting all friend requests, until the first 72.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!