User does not Match Correct Policy but is Listed in Group Mapping from AD
Resolution
Issue
User, betest1$, is a part of group "cn=domain controllers,cn=users,dc=pantac2003,dc=com". A security policy applying the group name is configured correctly on the Palo Alto Networks firewall. However, when the betest1$ user accesses anything through the firewall, the intended rule (with the group name applied) is not matched. It appears that the betest1$ user is not a member of the group listed in the policy.
Details
The screenshot below shows the security policy with the example group applied:
The user, betest1$, has been verified as a member of the group:
> show user group name "cn=domain controllers,cn=users,dc=pantac2003,dc=com"
source type: service
source: pantac2003
[1 ] pantac2003.com\betest1$
[2 ] pantac2003.com\w2k3ad$
From the traffic logs, the user is identified as "pantac2003\betest1$".
From the information gathered above, the issue is caused due to a mismatch between the username from the group mapping (pantac2003.com\betest1$) and the username identified by the traffic logs (pantac2003\betest1$).
Resolution
The user is getting identified as pantac2003\betest1$in the traffic logs, because the User-ID agent applies the netbios domain name. In the group mapping, the username pantac2003.com\betest1$ has an additional ".com", which causes a match to fail.
Check the LDAP server profile settings for an entry in the Domain field:
Delete the domain name entirely and leave it blank, or trim the .com and leave "pantac2003".
After committing the changes, the user should be identified correctly as a part of the intended group that is specified in the policy.
See Also
What Should be Configured as Domain in an LDAP Profile?
owner: pvemuri
Attachments