Unable to Apply Group based Security Policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to Apply Group based Security Policy

L1 Bithead

Hello Team,

 

We have successfully integrated LDAP with the Palo Alto firewall, and user-ID mapping via the user-ID agent is functioning as expected. We are able to use LDAP users in the security policy without any issues. However, when attempting to apply LDAP groups to the policy, the policy does not seem to work as intended.

 

We have configured the group mapping correctly, and when we check the user list within the group via CLI, it displays accurately.

 

Could you please assist us with your expertise to resolve this issue.

1 REPLY 1

Cyber Elite
Cyber Elite

Hi @Mebinbaby ,

 

The most common reason, by far, for group mappings not to work is that the format of the user name in the IP mapping is different from the format of the username in the group mapping.  The username must match exactly.  You can run the following commands to verify the format is exactly the same:

 

> show user ip-user-mapping all
> show user group list
> show user group name "cn=it_operations,cn=users,dc=al,dc=com"

 

Obviously, replace the group name above with the one in question.  😀  If there are spaces in the group name, it must be in quotes.

 

If the formats are different, please post and we can look at resolving it.  Please also post the source of the User/IP mappings.  If the source involves an authentication profile, please post the type.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 296 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!