This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About tamerfahmy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About tamerfahmy
05-19-2023
5Posts
0Likes
0Solutions
May 19, 2023Last Visited
User
Activity
User
Profile
Latest posts by tamerfahmy
| Subject | Views | Posted |
|---|---|---|
| 1321 | 05-19-2023 10:24 AM | |
| 916 | 03-27-2023 01:37 PM | |
| 392 | 03-27-2023 01:31 PM | |
| 1657 | 03-27-2023 01:30 PM | |
| 641 | 02-28-2023 09:09 AM |
User Badges
Community Statistics
| Member Since | 11-20-2018 01:09 PM |
| Date Last Visited | 05-19-2023 01:44 PM |
| Posts | 5 |
05-19-2023
10:24 AM
@JoseCortijo - I got my issue resolved with the help of PAN support, figured I'd share it here in case it helps you. For my two LDAP server profiles, i nstead of using LDAP/636 to each of my AD domains (root and child), I switched to GlobalCatalog/3269 to the root domain as well as LDAP/636 to the root domain. I then changed User ID group mapping to use the GlobalCatalog server profile, so that it could read all domains, and blanked the User Domain field in the group mapping config. Next, I added the relevant AD groups to the Group Mapping Group Include list and also to the SAML Authentication Profile Allow List under Advanced. Now in my Agent Client Settings, I add the relevant groups to the Source User list.
Here is the doc that helped me, as it recommends using Global Catalog if you have Universal AD Groups, and also mentions that the User Domain field can usually be left blank in the Group Mapping config: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-users-to-groups
HTH!
... View more
03-27-2023
01:37 PM
Hi @HCLCNNSecurity - Just curious, what did you end up doing to accomplish this task? I am having a similar issue. I am using SAML and I have an "any" user config which works fine. But I am trying to add a more restrictive config above that one, which contains specific users or groups, and cannot get it to work. I see that Security Policy might be the way to go according to Tom...
... View more
03-27-2023
01:31 PM
Hi @Navaneetharaj - did you ever figure this out? I am having a similar issue. I am using SAML and I have an "any" user config which works fine. But I am trying to add a more restrictive config above that one, which contains specific users or groups, and cannot get it to work. All users keep matching the "any" rule.
... View more
03-27-2023
01:30 PM
Hi @JoseCortijo - did you ever figure this out? I am having a similar issue. I am using SAML and I have an "any" user config which works fine. But I am trying to add a more restrictive config above that one, which contains specific users or groups, and cannot get it to work. All users keep matching the "any" rule.
... View more
02-28-2023
09:09 AM
Hi @Anbjorn - did you ever figure this out? I am having a similar issue. I am using SAML and I have an "any" user config which works fine. But I am trying to add a more restrictive config above that one, which contains specific users or groups, and cannot get it to work. All users keep matching the "any" rule.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-19-2023
01:44 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks