LDAP / Active Directory group no longer matching security rule
14285
Created On 12/20/20 18:27 PM - Last Modified 06/12/23 14:00 PM
Symptom
A security rule which has an Active Directory group name learned by Group Mapping defined on the firewall, may suddenly stop working. In this case, it should be checked if the necessary Active Directory group name is seen completely same in the output of both 'show running security-policy' and 'show user group list' CLI commands.
> show running security-policy
DP s1dp0:
"Email Rule; index: 86" {
from Trust;
source 10.10.0.0/22;
source-region none;
to DMZ;
destination 10.50.50.0/24;
destination-region none;
user "cn=email_users,ou=email,ou=security,ou=users,dc=palolabs,dc=com";
> show user group list [...] cn=email_users,ou=global,ou=groups,dc=palolabs,dc=com
As seen above, the same group is seen in the outputs, however the Active Directory paths are seen different.
Cause
It is highly likely that an Active Directory administrator had moved the security group from one OU (Organisational Unit) to another in Active Directory tree, and so the Group Mapping refresh had updated the OU information in the Group Mappings on the firewall.
Since the groups are stored in configuration in the full DN (Distinguished Name) format, the new group path will not match what is currently configured in the security policy.
Resolution
The groups will need to be removed and re-added to the security policy in order to be matched.
Alternatively, the group can be moved back to its original OU and the group-mapping is refreshed manually by the following CLI commands:
debug user-id refresh group-mapping <group mapping>
debug user-id refresh group-mapping all