08-08-2022 03:01 AM
Hi @AProwant
Unfortunately I don't have personal experiance (hope one day to have the same in our environment), but I believe you need the following:
- You need Group Mapping with enabled "Fetch list of managed devices". This will tell the firewall to pull the serial number of AD computers over LDAP - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-server-profiles...
- Create HIP object that as "Managed" set you "yes under General Tab -> Host Info
Once you enable fetching device list in group mapping you should be able to see the list of retrieved devices with:
> show user ldap-device-serialno allIf you don't see it either:
- the service account you use for the LDAP doesn't have enough permissions
- The serial number is not set as attribute for the computer objects in the AD - https://www.reddit.com/r/paloaltonetworks/comments/n1pe2p/global_protect_hip_check_machine_account_e...
08-08-2022 03:01 AM
Hi @AProwant
Unfortunately I don't have personal experiance (hope one day to have the same in our environment), but I believe you need the following:
- You need Group Mapping with enabled "Fetch list of managed devices". This will tell the firewall to pull the serial number of AD computers over LDAP - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-server-profiles...
- Create HIP object that as "Managed" set you "yes under General Tab -> Host Info
Once you enable fetching device list in group mapping you should be able to see the list of retrieved devices with:
> show user ldap-device-serialno allIf you don't see it either:
- the service account you use for the LDAP doesn't have enough permissions
- The serial number is not set as attribute for the computer objects in the AD - https://www.reddit.com/r/paloaltonetworks/comments/n1pe2p/global_protect_hip_check_machine_account_e...
08-08-2022 07:09 PM
Thank you so much. That worked perfectly!
09-05-2024 06:51 AM
Hi,
I'm currently experiencing the same issue.
We currently have a working LDAP connection to MS AD that is used for user group identification on GP HIP and works without issues.
We are trying to identify machines through Serial Number for that purpose we have:
On Device > User Identification > Group mapping settings > Fetch list of managed devices: YES
On Network > GlobalProtect > Portal > Agent (new) > Config Selection Criteria > Device Checks > Serial Number Check > Machine account exists with device serial number: YES
On Network > GlobalProtect > Portal > Agent (new) > HIP Data collection > Collect HIP Data: YES
On Objects > GlobalProtect > HIP Object (new) > host info > HIP Managed: YES
On MS AD we have create a user group with the name and cn matching the serial number of the test pc
And we have added this new group into Group mapping settings > Group include list.
Unfortunately we keep on been unable to match the serial numbers because we are not receiving them from LDAP.
> show user ldap-device-serialno all
ID|SerialNumber|Manged_by_AD|LastUpdateTime
Please can you let me know the MS AD > LDAP side of the config that you did for this to work? And if anything else was done in the firewall side?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
