Panorama does not auto-populate user-group information for any references in the Template
14509
Created On 01/20/20 15:05 PM - Last Modified 07/10/20 18:35 PM
Symptom
- Short-name format ( Domain\User-Group ) is pushed from the Panorama for user-group based GP agent configuration.
- Users fail to match the group and receives wrong configuration from the Portal.
- Master device is configured on Panorama to pull user group information.
Cause
- Firewall sees the short-name user-group format as a single user instead of group.
- To auto-populate group information for Device Group object the information is sent to the configured master device for retrieving the user to user-group membership.
- For Template there is no lookup concept and fails on auto-populate as well as short-name to DN name format.
Resolution
Replace the short-name format with the DN format ( cn=..) for all references of user-group when it is a part of Template configuration pushed from the Panorama.
Additional Information
- Short name : Domain\Group pushed from the Panorama to the firewall for GP agent configuration:
panorama running-config:
*********************************
gp-portal {
portal-config {
source-user Domain\Group;
os any;
firewall running-config:
***************************
gp-portal {
portal-config {
source-user Domain\Group; <<<<<< considered as a single user
os any;
- DN name used in the agent configuration when pushed from the Panorama:
panorama running-config:
********************************
gp-portal {
portal-config {
source-user cn=Group,cn=users,dc=Domain,dc=local; <<<<<< user group
firewall running-config:
***************************
gp-portal {
portal-config {
source-user cn=Group,cn=users,dc=Domain,dc=local;