Traffic not matching the configured security policy with user g... - Knowledge Base - Palo Alto Networks

Traffic not matching the configured security policy with user groups

9382

Created On 04/18/21 18:04 PM - Last Modified 03/07/23 04:45 AM

Group Mapping

Security Policy

User-ID

Prisma Access

Symptom

Security Policies with User-ID Groups not matching traffic
Created new Security Policy with same User-ID Group and is working

Environment

Prisma Access
User-ID based Security Policies

Cause

Group name format was incorrect as there was an added space between groups.
Working
"cn=global prod url filtering exception unrestricted,ou=security services,ou=enterprise services,dc=acme,dc=org".

Not working
"cn=global prod url filtering exception unrestricted, ou=security services, ou=enterprise services, dc=zurich,dc=com" (unnecessary spaces)
"cn=Global prod url filtering exception unrestricted,ou=Security services,ou=Enterprise services,dc=Acme,dc=Org" (unnecessary uppercase)

Resolution

Find the correct user-group name and configure it in the appropriate security policies. This can be done as follows -

Find your group names from your LDAP Server and note them down.
From PAN-OS GUI: Navigate to Device>User Identification>Group Mapping Settings
Add/Edit your group > Select tab Group Include List
Click Add > Copy all your groups you plan to use in your Security Policies
Click OK, then Commit and Push your changes

Additional Information

How to check user groups: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVcCAK

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)