用户流量firewall从中检索组信息CIE(Cloud Identity Engine) 与预期的基于组的安全性不匹配 policy
3785
Created On 08/18/22 08:50 AM - Last Modified 05/31/25 03:23 AM
Symptom
- 用户流量通过防火墙间歇性地匹配意外的基于组的安全规则。
- A commit 有时可以解决问题,但有时不能。
Environment
- Firewall 与CIE(Cloud Identity Engine) 获取安全规则的组信息
- 地层
- Prisma Access
Cause
- CIE 如果在中配置了任何域/组,则停止读取其他组/用户的信息Panorama或者找不到防火墙CIE.
- 在防火墙的安全规则中将组 'test-group' 或 'cn=test-group,ou=user groups,dc=test,dc=local' 配置为源用户。
- 尝试从中检索这些组CIE.
- 如果CIE没有这样的组,它停止同步CIE, 和firewall不检索组成员,这会导致policy不匹配。
Resolution
请检查所有位置(共享/Vsys)和所有设备组/模板中的以下配置,并删除无效组。
DEVICE标签:
+ Authentication Profile -> [Any Authentication Profiles] -> Advanced -> Allow List + Server Profiles -> LDAP -> [Any LDAP Servers] -> Base DN + Server Profiles -> LDAP -> [Any LDAP Servers] -> Bind DN + User Identification -> Group Mapping Settings -> [Any Group Mappings] -> Group Include List + Local User Data Base -> User Groups
NETWORK 标签:
+ GlobalProtect -> Portals -> [Any Portals] -> Agent -> [Any CONFIGS] -> Config Selection Criteria -> User/User Group -> USER/USER GROUP + GlobalProtect -> Portals -> [Any Portals]-> Clientless VPN -> Applications -> [Any CONFIGS] -> USER/USER GROUP + GlobalProtect -> Gateways -> [Any Gateways] -> Client Settings -> [Any CONFIGS] -> Config - Selection Criteria -> SOURCE USER
POLICIES 标签:
+ Authentication -> Pre/Post Rules -> [Any rules] -> Source -> SOURCE USER + Security -> Pre/Post Rules -> [Any rules] -> Source -> SOURCE USER + QoS -> Pre/Post Rules -> [Any rules] -> Source -> SOURCE USER + Policy Based Forwarding -> Pre/Post Rules -> [Any rules] -> Source -> SOURCE USER + Decryption -> Pre/Post Rules -> [Any rules] -> Source -> SOURCE USER + DoS Protection -> Pre/Post Rules -> [Any rules] -> Source -> SOURCE USER
Additional Information
将来,我们可能会添加更多地点CIE查找组设置。 请彻底检查配置以找到无效的组并将其删除。