About jbabcock

jbabcock · ‎07-03-2014

Hello, No filter that is relevant to the group in question, it has got worse, we have a new user thats been added in AD, it can be seen on the Primary but not on the Secondary, even after a day. Also the group number enumeration between the two is not the same. Any ideas why the secondary is not synching up with the user-id and group information from the primary?

jbabcock · ‎06-25-2014

Hello, I have group mappings present on the Primary Firewall, not passing to the secondary Firewall. Specifically for a new gorup created today. I have tried the various debug refresh commands on both boxes to attempt the get the seocndary box to pull the new group, but no joy. Can anyone suggest what the issue here maybe? As far as the secondary box is concerned it doesn't exist. Which is kind of important as that box is primary for connectivity for a certain subnet that I cannot enforce a policy on based on group membership. Many thanks

jbabcock · ‎06-13-2014

Yes I'm going to see if I can explore that next week, not easy as a few thousand people are on it! Other thing I was going to look at was the syslog collector available in v6 PANOS. We are deploying fresh on V6, so this may provide part of the answer, routing into and out of DA would need to go via the Palo, and yes it could do the v6 NAT. If the syslog works, I then don't need to to try and get a v6 enabled DC in the mix, not sure if my server team could take the headache! At the moment I'm only worried about web traffic via a simple proxy (Web filtering all done by Palo), so I will configure a v6 entry into dns for it, and get DA to route out via the Palo to the proxy. if syslogging works, probably don't need anything else to confirm the user-id. I wonder if it would compare that user-id to the groups used in AD though? I think that's the closest to an answer if DA can syslog me what I need!

jbabcock · ‎06-13-2014

Hello, We have a Microsoft 2012 DA installation that enables clients to attach to our internal Infrastructure. The clients all end up with IPv6 addresses, and the DA server uses 6to4 translation for the clients to get to services. Problem I am finding is that when these clients log onto DA, our AD sees them all coming from the same IPv4 address. So I can't enforce proper URL Filtering based on user-id as the user-id that the firewall sees is constantly changing based on the AD logs seen by the agent. I have attempted to use Captive Portal using NTLM and without just using the portal page and to ignore ID's learnt from the AD logs on the DA subnet, but the result is essentially the same, as once another use logs in, the firewall thinks the IP/User relationship has changed again. Obviously you can get round this with Terminal Servers or Citrix servers using the specific agent. I have tried to install the agent on DA, but it won't install (Not really that surprising!) What is the correct answer in this instance? I can't convert my network to IPv6 to run DA natively, and I'm not sure what else we can do. At the moment I think we may have to buy a Proxy just for this purpose which is not really what we want to be doing. Any help much appreciated!

Member Since	‎05-17-2013 06:57 AM
Date Last Visited	‎08-18-2015 09:07 AM
Posts	4

Online Status	Offline
Date Last Visited	‎08-18-2015 09:07 AM

About jbabcock

Re: HA-HA group mappings not passing to secondary PANOS 6.03

HA-HA group mappings not passing to secondary PANOS 6.03

Re: Microsoft Direct Access and User-id in an IPv4 Environment confusion

Microsoft Direct Access and User-id in an IPv4 Environment confusion

Re: HA-HA group mappings not passing to secondary PANOS 6.03

HA-HA group mappings not passing to secondary PANOS 6.03

Re: Microsoft Direct Access and User-id in an IPv4 Environment confusion

Microsoft Direct Access and User-id in an IPv4 Environment confusion