UserID to be used in security policy - FW not offering user/group list

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

UserID to be used in security policy - FW not offering user/group list

L1 Bithead

Hi,

 

I have problem with User-ID not being selectable when creating/editing security policy rule.

 

Setup is as followed:

  • branch firewalls connected to Panorama
  • Firewall 3400 with 10.2.4 software
  • LDAP server configured
  • Authentication profile configured
  • Included groups in "user identification" configured
  • User-ID configured (i am seeing domain\username in traffic log)
  • On zones in question, I have user-id enabled

Command show user group-mapping state <included group name> shows no errors connecting to LDAP. Command show user group name domain\groupname shows members of the group.

 

So with given being displayed and working, I would say that there's no obstacle in configuring usernames groups in the security policy rules. Yet I can't figure out why firewall is not offering me group drop-down and when I fill in domain\groupname to "source user", that AD group or user gets black background which as per my understanding indicates that user or group weren't found.

 

Thanks in advance for any hints.

 

1 accepted solution

Accepted Solutions

Panorama is not pulling directly the mapping, it is a firewall doing that.

So if you want to have the group on Panorama, Panorama needs to pull it from a Device (you can search for "User-ID Panorama Master Device".

 

Authentication Profile? If you set up a captive portal that is the only use case with authentication profile.

Red gear icon, I would suspect there is an override somewhere..
Anyway, if you want to discuss more about it, better open a new discussion and profile at least a screenshot or you can also open a case to TAC.

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

View solution in original post

5 REPLIES 5

L1 Bithead

Edit: It looks like all is working well. I have created a rule on position let's say 10 that contains 1 user called X (the background is black with red letters). Rule 11 is much more broader rule where internet access of user X would be taken care of if user X would not be taken care of by rule 10. The hit count is rising also for rule 10.

So it seems that all is configured well, it only puzzled me that with every demo I saw on this topic, the presenter has list of users / groups in "select user" dropdown 😞

Cyber Elite
Cyber Elite

Hi @szi7443 ,

 

That is very interesting!  I am running 10.2.4-h2 and my groups show up under Source User when I click Add.

 

I have never encountered the black background.  There have been times (e.g., Panorama) where the dropdown was not available, and I pasted the group in.  It worked fine.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L4 Transporter

Hello Szi7443,

 

Are you doing the configuration from Panorama or the firewall?

On the firewall, do you see the groups when you try to configure the user/groups?

If yes, that’s ok.

If not, review the config on the firewall, on CLI you can look for the group list.

 

if you are having the issue on Panorama.

- do the check on the firewall

if Firewall OK, make sure the device group has master device defined. This firewall will send the group mapping to Panorama.

if fw not ok, investigate on firewall.

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

Hi, I am configuring everything form Panorama.

 

I am not aware of what you mean exactly with "on the firewall". If I SSH to the firewall, I can see the user-id mappings and members of the groups retrieved from AD with commands like:

  • show user group name domain\group_name
  • show user ip-user-mapping all

The thing is that Panorama is not providing me the values in dropdown when configuring a firewall rule. The original issue can be considered as solved. However, I would still ask two things:

  • When configuring user-id, it did not work for me without an authentication profile. Did I misunderstand something or that auth profile is indeed useless for user-id?
  • When configuring an application in firewall rule, some of the apps have red gear icon - what does that mean?

 

 

Panorama is not pulling directly the mapping, it is a firewall doing that.

So if you want to have the group on Panorama, Panorama needs to pull it from a Device (you can search for "User-ID Panorama Master Device".

 

Authentication Profile? If you set up a captive portal that is the only use case with authentication profile.

Red gear icon, I would suspect there is an override somewhere..
Anyway, if you want to discuss more about it, better open a new discussion and profile at least a screenshot or you can also open a case to TAC.

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

  • 1 accepted solution
  • 1224 Views
  • 5 replies
  • 0 Likes
  • 38 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!