User does not Match Correct Policy but is Listed in Group Mapping from AD

User does not Match Correct Policy but is Listed in Group Mapping from AD

Created On 09/26/18 13:47 PM - Last Modified 04/20/20 22:37 PM



User, betest1$, is a part of group "cn=domain controllers,cn=users,dc=pantac2003,dc=com". A security policy applying the group name is configured correctly on the Palo Alto Networks firewall. However, when the betest1$ user accesses anything through the firewall, the intended rule (with the group name applied) is not matched. It appears that the betest1$ user is not a member of the group listed in the policy.



The screenshot below shows the security policy with the example group applied:



The user, betest1$, has been verified as a member of the group:

> show user group name "cn=domain controllers,cn=users,dc=pantac2003,dc=com"

source type: service

source:      pantac2003

[1    ]\betest1$

[2    ]\w2k3ad$


From the traffic logs, the user is identified as "pantac2003\betest1$".


From the information gathered above, the issue is caused due to a mismatch between the username from the group mapping (\betest1$) and the username identified by the traffic logs (pantac2003\betest1$).



The user is getting identified as pantac2003\betest1$in the traffic logs, because the User-ID agent applies the netbios domain name. In the group mapping, the username\betest1$ has an additional ".com", which causes a match to fail.


Check the LDAP server profile settings for an entry in the Domain field:



Delete the domain name entirely and leave it blank, or trim the .com and leave "pantac2003".



After committing the changes, the user should be identified correctly as a part of the intended group that is specified in the policy.


See Also

What Should be Configured as Domain in an LDAP Profile?


owner: pvemuri

  • Print
  • Copy Link

Choose Language