Hi @RobertTryba ,
There are couple points so lets tackle them one by one:
- "Gateway changes are not replicating from Panorama to physical firewalls" - this is most probably because GP Gateway config from Panorama is override locally on the firewall. When FW detect local config and config pushed with Panorama template it will always prefer the local config, until admin accept the Panorama config.
You should be able to confirm this by checking on the FW GUI if there is green gear, if there is yello gear over the green gear this means there is local config overriding Panorama template.
Two options:
- Select (not edit, but just select) the gp gateway object, you should see button "revert" at the bottom of the screen. Something similar to this picture (I am don't have access to FW at the moment, so cannot provide actual picture)
After that you need to commit locally on the FW.
- Second option - review eithire (or at least the major config) from Panorama template and make sure all setting in the template are correct. Then push template config from Panorama to FW, but enable the settings "Force template values"
What do the different colors on gear icon indicate when a templ... - Knowledge Base - Palo Alto Networks
- "Matching client config not found" - it is little difficult for me to follow this one, without looking at your config or group membership output, but it sound like you have a problem with user attribute mapping. Also with the group mapping.
When you are configuring group mapping, you define what user attribute firewall will gather over LDAP. If you are authenticating with UPN to GP, but your group mapping using primary user attribute SAM (sAMAccountName), FW will not be able to match the username with group mapping. Now as you can see from group mapping, FW should be able to match different username formats (if I may call them this way), by mapping all attributes to a user. Please check this discussion where I have share couple of commands and links how to troubleshoot user attribute mapping - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CpgcCAC&lang=en_US%E2%80%A9
- "which account I want to use to authenticate, but I do not get MFA request from new tenant to authenticate my login" - Just to clarify, you are refering to Azure MFA, right? Not Palo Alto supported 3rd party MFA - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-multi-factor-authentication#id1eeb304d-b2f4-46a3-a3b8-3d84c69fb214 ?
If you are configuring GP with SAML authentication only, which will open Microsoft login page, which then should challange you for MFA, this is completely contronlled by your AzureAD. There is an setting that you can tell Azure to not ask you for MFA is you try to login from the same device for the next N hours/days. If you want AzureAD to ask for MFA every time user attempt to authenticate you need to look at AzureAD settings.
... View more