All,
I thought I would share a quick tip for those people that may be considering upgrading from 6.x to 7.x in an environment where you are using Panorama.
In PAN-OS 7.x, the information of your Active Directory domain has been moved from the LDAP settings to the Group Mapping Settings. As the first step in upgrading to 7.x is upgrading your Panorama server, you will immediately notice that this field is no longer available in the template.
This setting has been moved to Group Mappings:
If you push this template to any devices that are running PAN-OS 6.x, the domain field in the LDAP settings will become empty which can cause your users in groups to return the wrong mapping without the domain. In our case, it caused the following to happen:
User-ID
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
X.X.X.X vsys1 UIA <domain>\mlinsemier 40 40
Group Mapping:
short name: <domain>\pan-downloads-it
source type: proxy
source: Group Mapping - Domain
[1 ] \mlinsemier
[2 ] \jsmith
[3 ] \jdoe
You will notice that the user names in the Group Mapping are missing the domain portion. This causes any rules that you have setup based on groups not to map correctly.
To fix the issue, you must push your template and then create a local override on each PAN-OS 6.x firewall for each LDAP group and enter your domain.
One thing also to note is that when you upgrade a firewall to PAN-OS 7.x, Panorama may still show that your Templates for that devife a re still '"in Sync" after the upgrade. We didn't re-push the templates after the upgrade to our PAN-OS 7.x firewalls, which meant that the domain field in Group Mapping was blank and caused the same issues. Once we pushed them, the information was populated from the template and all was fixed.
I thought I would share this just in case others are in a similar boat as we were. YMMV.
-Matt
