Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-10-2024 06:31 PM
Hi All,
Need your assistance. The problem is that test rule with user group doesn't have any hits. The users generating traffic are definitely part of the group.
Setup:
Prisma Access managed from On-prem Panorama.
CIE with AD sync. Users and groups are visible from CIE dashboard.
When policy rule configured I can choose from the groups list.
Unfortunately, there are no firewalls to verify if I can get user group membership from CIE.
I have concern regarding upper and lower case letters in the group name. *(DB article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sY3lCAE)
AD name: CN=WebAccess-Basic,OU=User,OU=myou,OU=ANOTHEROU,DC=ad,DC=MYDC,DC=org,DC=au
Policy rule name from the drop down list: cn=webaccess-basic,ou=user,ou=myou,ou=anotherou,dc=ad,dc=mydc,dc=org,dc=au
The only confusing thing is that I'm getting the drop down list from CIE, I can't believe it gives me the wrong format. And if so, then I'll need to make changes to each group I'm going to use through Group Mapping setting in Prisma device group, right?
I've attached some screenshots with configuration/settings for reference.
09-16-2024 09:03 AM
@pavel.zemtsov wrote:
Hi All,
Need your assistance. The problem is that test rule with user group doesn't have any hits. The users generating traffic are definitely part of the group.
Setup:
Prisma Access managed from On-prem Panorama.
CIE with AD sync. Users and groups are visible from CIE dashboard.
When policy rule configured I can choose from the groups list.
Unfortunately, there are no firewalls to verify if I can get user group membership from CIE.
I have concern regarding upper and lower case letters in the group name. *(DB article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sY3lCAE)
AD name: CN=WebAccess-Basic,OU=User,OU=myou,OU=ANOTHEROU,DC=ad,DC=MYDC,DC=org,DC=au
Policy rule name from the drop down list: cn=webaccess-basic,ou=user,ou=myou,ou=anotherou,dc=ad,dc=mydc,dc=org,dc=au
The only confusing thing is that I'm getting the drop down list from CIE, I can't believe it gives me the wrong format. And if so, then I'll need to make changes to each group I'm going to use through Group Mapping setting in Prisma device group, right?
I've attached some screenshots with configuration/settings for reference.
You said the Test Rule with the user group doesn't have any hits and assuming that it doesn't have any spaces and all are lower cases when it auto-populates
in the firewall policies.
It has to be all lower case on the firewall.
Additionally You may also please refer the documentation below on how CIE populates the group names in the Security Policies.
If your group info is auto-populates in the Firewall policies with all lowercases and no spaces and still it is not working I would recommend you to raise a support case to further to diagnose the exact causes why it's occurring.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
