DNS traffic being blocked for GP users due to missing HIP reports

DNS traffic being blocked for GP users due to missing HIP reports

2450
Created On 07/26/24 17:13 PM - Last Modified 02/10/25 20:30 PM


Symptom


  •  The customer has multiple usernames configured for their admin users
  •  They only have security policies allowing a single username rather than both
  •  The user traffic is hitting the default intrazone policy resulting in denied traffic 

Environment


  •  PANOS-10.2-6
  •  Any Palo Alto Networks firewall
  •  GP-6.2.0

Cause


  •  The cause is due to us clearing the HIP report on the firewall whenever we notice a different username from the same host. This is expected behavior to avoid allowing an unauthorized user maintain access to sensitive resources.

Resolution


  1.  To avoid this issue the customer would need to either:
    1.  Configure both usernames on the DC under the existing user entry and map them to the firewall using attributes
Note: If you choose this option you must reset the idmgr table during a maintenance window using the following command [debug device-server reset id-manager type all]
  1.  Create a new group just for the admins secondary username, map this group to the firewall, and then add this group to the existing security policy 
  2.  I've included additional documentation discussing how to complete both in detail below: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/map-users-to-groups
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000scbNCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language