LDAP Group Mappings in a Mixed 6.x and 7.x Environment with Panorama

User mlinsemier provides some insight for our mid-week discussion on LDAP group mappings using Panorama in a mixed PAN-OS enviornment.




I'd like to share a quick tip for people who may be considering upgrading from 6.x to 7.x in an environment using Panorama.


In PAN-OS 7.x, the information of your Active Directory domain has been moved from the LDAP settings to the Group Mapping Settings. As the first step in upgrading to 7.x is upgrading your Panorama server, you'll immediately notice the absence of this field in the template.


Panorama Template.png

Instead, the setting now appears under Group Mapping:


Group Mapping.png


If you push this template to any devices running PAN-OS 6.x, the domain field in the LDAP settings becomes empty, which can cause users in groups to return incorrect mapping without the domain.  In our case, it caused the following to happen:



IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------

X.X.X.X     vsys1  UIA     <domain>\mlinsemier                40             40


Group Mapping:


short name: <domain>\pan-downloads-it

source type: proxy
source: Group Mapping - Domain


[1 ] \mlinsemier
[2 ] \jsmith
[3 ] \jdoe


You'll notice that user names in the Group Mapping are missing domain information, causing any rules set up based on groups to map incorrectly.


To fix the problem with mapping, first push your template, then create a local override on each PAN-OS 6.x firewall for each LDAP group and enter your domain.


Firewall Domain.png


When upgrading a firewall to PAN-OS 7.x, Panorama may show templates for that device are still 'in sync' after the upgrade.  We didn't repush the templates after the upgrade to our PAN-OS 7.x firewalls, which meant that the domain field in Group Mapping was blank and caused the same issues.  After pushing the templates, the information was populated from the template and all was fixed.


Wanted to share in case others are experiencing the same issues.





Hope you enjoyed reading. Please feel free to comment.


Tom Piens



