Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Filtering by a Azure AD user does not work in Gateway-->Agent-->Client Settings

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Filtering by a Azure AD user does not work in Gateway-->Agent-->Client Settings

L2 Linker

Hi,

we currently have global protect integrated with Azure MFA using SAML and it works flawless.
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/palo-alto-networks-globalprotect-...

 

Now, we would like to offer a different IP Pool depending on the user account. when I check in the MONITOR for connections using that VPN gateway, I see the different corporate email addresses in the SOURCE USER column. this email address is the one used to make the authentication via Azure MFA.

 

At this point, my approach was to create a new Agent-->client setting in the gateway portal . In the 'Config Selection Criteria' I included my corporate email addreass as SOURCE USER. No errors were shown so I clicked OK and commit. I also included a different IP pool range to filter conenctions later on with dedicated policies.

 

Surprisingly, afte the change was applied and I reconnect, I still get an IP address from the old IP pool, the one with 'any' on its client settings. it seems like my user name did not match for some reason. (see attachement)

we have a PA-850 running version 10.1.3

 

thanks

 



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
8 REPLIES 8

L2 Linker

According to the official documentation the source user in the client setting tab must be configured via User Identification.

In our case we only have the internal Active Directory and checking its settings I saw an option that called my attention, Alternate Username 1.

I wonder if I put "mail" in that field, it might be used in the filtering as a username. (see attachment)

Does anyone used that before for a similar purpose?

 

thanks

L1 Bithead

Hi @JoseCortijo - did you ever figure this out?  I am having a similar issue.  I am using SAML and I have an "any" user config which works fine.  But I am trying to add a more restrictive config above that one, which contains specific users or groups, and cannot get it to work. All users keep matching the "any" rule.

L1 Bithead

We don't need user-id enabled for this.

  1. If you are using a username to filter, check the Globalprotect/authd.logs to see what username is passed to the firewall. 
  2. use domain\username format to filter the config.

 

E.g 

 

username@domain.com, then use domain.com\username as the source user.

 

Hope this helps. 

Hi @pkumar2 ,

I afraid that that simple solution does not work. That was my first attempt indeed.

Following your advice I checked the Globalprotect authentication logs and I saw username@domain.com as source user.
I added domain\useraccount and even the email address but there is still no match with the rule.

I am getting the client settings with the "any" as a filter.

 

A technician from a local partner told me that I might have an issue with the group mapping settings. The email should be mapped with the LDAP information stored in PA. I checked that as well but I did not see anything wrong.

 

 

L1 Bithead

@JoseCortijo - I got my issue resolved with the help of PAN support, figured I'd share it here in case it helps you.  For my two LDAP server profiles, instead of using LDAP/636 to each of my AD domains (root and child), I switched to GlobalCatalog/3269 to the root domain as well as LDAP/636 to the root domain. I then changed User ID group mapping to use the GlobalCatalog server profile, so that it could read all domains, and blanked the User Domain field in the group mapping config.  Next, I added the relevant AD groups to the Group Mapping Group Include list and also to the SAML Authentication Profile Allow List under Advanced.  Now in my Agent Client Settings, I add the relevant groups to the Source User list.

Here is the doc that helped me, as it recommends using Global Catalog if you have Universal AD Groups, and also mentions that the User Domain field can usually be left blank in the Group Mapping config: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-users-to-groups

HTH!

Hi @tamerfahmy 

thanks a lot for your reply and the link. Not sure if my issue was the same as yours. The AD groups got already populated and I could select the target AD group in the Agent Client Settings, my issue was that it didn't seem to match the condition so the different settings based on AD membership never applied.

 

I followed your instructions and I created an additional LDAP server profile for the global catalog and then, a new group mapping configuration using that new ldap server profile. Not sure if I should keep both group mappings enabled or not.

the result keeps the same, I can select the ad group in the Agent Client settings but it is never taken into account.

I attach some screenshots, maybe you could see where could be my issue.

 

thanks once again for your reply.

L1 Bithead

Hi @JoseCortijo,

Yes, I have both group mappings enabled.

Did you add the relevant AD groups to the Group Include list in the global catalog Group Mapping?

Also, in the SAML Authentication Profile > Advanced > Allow List, you can try adding the groups explicitly instead of using "all".

L1 Bithead

Hey @JoseCortijo did you find solution for this problem?

  • 5882 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!