07-20-2023 07:33 AM
Hi,
I have problem with User-ID not being selectable when creating/editing security policy rule.
Setup is as followed:
Command show user group-mapping state <included group name> shows no errors connecting to LDAP. Command show user group name domain\groupname shows members of the group.
So with given being displayed and working, I would say that there's no obstacle in configuring usernames groups in the security policy rules. Yet I can't figure out why firewall is not offering me group drop-down and when I fill in domain\groupname to "source user", that AD group or user gets black background which as per my understanding indicates that user or group weren't found.
Thanks in advance for any hints.
07-26-2023 07:30 AM
Panorama is not pulling directly the mapping, it is a firewall doing that.
So if you want to have the group on Panorama, Panorama needs to pull it from a Device (you can search for "User-ID Panorama Master Device".
Authentication Profile? If you set up a captive portal that is the only use case with authentication profile.
Red gear icon, I would suspect there is an override somewhere..
Anyway, if you want to discuss more about it, better open a new discussion and profile at least a screenshot or you can also open a case to TAC.
Olivier
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
07-20-2023 08:28 AM
Edit: It looks like all is working well. I have created a rule on position let's say 10 that contains 1 user called X (the background is black with red letters). Rule 11 is much more broader rule where internet access of user X would be taken care of if user X would not be taken care of by rule 10. The hit count is rising also for rule 10.
So it seems that all is configured well, it only puzzled me that with every demo I saw on this topic, the presenter has list of users / groups in "select user" dropdown 😞
07-20-2023 08:35 AM
Hi @szi7443 ,
That is very interesting! I am running 10.2.4-h2 and my groups show up under Source User when I click Add.
I have never encountered the black background. There have been times (e.g., Panorama) where the dropdown was not available, and I pasted the group in. It worked fine.
Thanks,
Tom
07-25-2023 05:56 AM - edited 07-25-2023 05:57 AM
Hello Szi7443,
Are you doing the configuration from Panorama or the firewall?
On the firewall, do you see the groups when you try to configure the user/groups?
If yes, that’s ok.
If not, review the config on the firewall, on CLI you can look for the group list.
if you are having the issue on Panorama.
- do the check on the firewall
if Firewall OK, make sure the device group has master device defined. This firewall will send the group mapping to Panorama.
if fw not ok, investigate on firewall.
Olivier
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
07-26-2023 06:20 AM
Hi, I am configuring everything form Panorama.
I am not aware of what you mean exactly with "on the firewall". If I SSH to the firewall, I can see the user-id mappings and members of the groups retrieved from AD with commands like:
The thing is that Panorama is not providing me the values in dropdown when configuring a firewall rule. The original issue can be considered as solved. However, I would still ask two things:
07-26-2023 07:30 AM
Panorama is not pulling directly the mapping, it is a firewall doing that.
So if you want to have the group on Panorama, Panorama needs to pull it from a Device (you can search for "User-ID Panorama Master Device".
Authentication Profile? If you set up a captive portal that is the only use case with authentication profile.
Red gear icon, I would suspect there is an override somewhere..
Anyway, if you want to discuss more about it, better open a new discussion and profile at least a screenshot or you can also open a case to TAC.
Olivier
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
