Require serial number match?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Require serial number match?

L0 Member

We are running 10.2.2 w/ GP 6.0.3 and I am unable to figure out how to have my serial number (discovered via HIP) be required to match what is in AD. Could someone please show me which way to go? Support and my sales engineer have been unable to assist.

 

Thank you,

Andy

1 accepted solution

Accepted Solutions

Hi @AProwant 

Unfortunately I don't have personal experiance (hope one day to have the same in our environment), but I believe you need the following:

- You need Group Mapping with enabled "Fetch list of managed devices". This will tell the firewall to pull the serial number of AD computers over LDAP - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-server-profiles...

- Create HIP object that as "Managed" set you "yes under General Tab -> Host Info

 

Once you enable fetching device list in group mapping you should be able to see the list of retrieved devices with:

> show user ldap-device-serialno all

If you don't see it either:

- the service account you use for the LDAP doesn't have enough permissions

- The serial number is not set as attribute for the computer objects in the AD - https://www.reddit.com/r/paloaltonetworks/comments/n1pe2p/global_protect_hip_check_machine_account_e...

View solution in original post

2 REPLIES 2

Hi @AProwant 

Unfortunately I don't have personal experiance (hope one day to have the same in our environment), but I believe you need the following:

- You need Group Mapping with enabled "Fetch list of managed devices". This will tell the firewall to pull the serial number of AD computers over LDAP - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-server-profiles...

- Create HIP object that as "Managed" set you "yes under General Tab -> Host Info

 

Once you enable fetching device list in group mapping you should be able to see the list of retrieved devices with:

> show user ldap-device-serialno all

If you don't see it either:

- the service account you use for the LDAP doesn't have enough permissions

- The serial number is not set as attribute for the computer objects in the AD - https://www.reddit.com/r/paloaltonetworks/comments/n1pe2p/global_protect_hip_check_machine_account_e...

Thank you so much. That worked perfectly!

  • 1 accepted solution
  • 2729 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!