How to match a GlobalProtect Portal Agent Configuration using Active Directory group and Verify

• GlobalProtect Portal Agent Configuration (Config) with an Active Directory (AD) group on a specific Portal Agent Config.
• Authentication method on Portal can be LDAP, Local User database, SAML etc. or even Certificate Based authentication.  
• In this example, Portal authentication would be via LDAP

• Palo Alto Firewalls
• Supported PAN-OS
• GlobalProtect Portal
• LDAP Authentication
• Group-Mapping with AD groups
• GlobalProtect (GP) App

• Group-Mapping settings is based on LDAP connection to an AD server to enable the firewall to pull down AD groups.
• These AD groups can be referenced in GP Portal Agent Config to be able to match a GP authenticated user that is part of an AD group. 
• Independent of authentication type used, make sure the username provided is able to match the username seen in the AD group.

• Prior to configuring Group-Mapping settings, make sure LDAP server profile is configured correctly with required fields encircled in red below. GUI: Device > Server Profiles > LDAP

• Next, configure a new or use an existing Group-Mapping configuration (gp in this example) associated with previously configured LDAP server profile and add the domain name bear in the User Domain field. Remaining fields can be left as default. GUI: Device > User Identification > Group Mapping Settings > Server Profile

• Values for Primary Username and Alternate Username 1 fields are swapped in the User and Group Attributes tab that encircled in red below. The reason for this change is to match the GP username when logging into the GP app using 'userPrincipalName' or otherwise called 'UPN' format 'username@domain.com'. GUI: Device > User Identification > Group Mapping Settings > User and Group Attributes

• Once the above steps are configured and committed, run the following firewall CLI command to display the Primary and Alternate usernames. Primary username is in the UPN format 'user1@bear.com' since Primary Username field is set to 'userPrincipalName' in User and Group Attributes tab of Group-Mapping settings:

admin@PA-VM> show user user-attributes user user1@bear.com

Primary: user1@bear.com
Alt User Names:
1) bear\user1

• NOTE: Modify the authentication profile username modifier to "%USERINPUT%@%USERDOMAIN% under GUI: Device > Authentication Profile > Authentication". Refer related article How authentication username modifiers affect the usernames. 

• If Available Groups can be expanded in Group Include List tab of Group-Mapping settings, it can be concluded that LDAP server profile is working. Click on + or - to add AD group(s) that are desired to be used with GP or other firewall configurations.

• After configuring the above steps with a commit, verify the AD group bear\vpn details in firewall CLI using the following commands: 

admin@PA-VM> show user group list

cn=vpn,ou=vpnou,dc=bear,dc=com

Total: 1
* : Custom Group

admin@PA-VM> show user group name "cn=vpn,ou=vpnou,dc=bear,dc=com"

short name:  bear\vpn

source type: ldap
source:      gp

[1     ] user1@bear.com
[2     ] user2@bear.com
[3     ] user3@bear.com
[4     ] vpnuser@bear.com

• Since Group-Mapping settings is configured and working correctly, either add a new or modify an existing GP Portal Agent Config to include bear\vpn AD group in USER/USER GROUP field as a match criteria as seen below. GUI: Network > GlobalProtect > Portals > Agent

• Test the configuration by logging into GP app with 'user1@bear.com'. GP Portal connection should be successful and can be verified using the firewall's GlobalProtect Logs in the Monitor tab under the Description column which will display the matched Config name: portal_gw. Log filter "( portal neq gateway ) and ( eventid eq portal-getconfig )" can be used to display the exact log entry. GUI: Monitor > Logs > GlobalProtect

• Another way to verify the correct configuration being hit is by enabling following debugs before user connects to GP and disabling debugs after user fails to get the configuration in firewall CLI:

> debug ssl-vpn global on debug
> debug ssl-vpn global show     [Displays logging level]
> debug ssl-vpn global on info  [Logging level changed to info]

From PAN-OS 10.2, collecting GlobalProtect for specific users from the server side could be done by enabling trace log matching specific portal, gateway, username, or source ip address

> debug gp-broker gpsvc trace global-log debug 
> debug gp-broker gpsvc trace show              [Displays logging level]
> debug gp-broker gpsvc trace global-log normal [Logging level changed to info]

• After the debug above is enabled, have the user attempt to connect and then, check the following log file via the CLI in the firewall for the highlighted log entries indicating the AD group match with correct GP Portal Agent Config portal_gw:

> less mp-log appweb3-sslvpn.log

globalprotect_get_user_attrs_and_groups(modsslvpn_sysd_if.c:772): query useridd for user attrs and groups: vsys_id (1); user (user1@bear.com); domain ();
globalprotect_get_user_attrs_and_groups(modsslvpn_sysd_if.c:804): query useridd for users: out user attr (bear\user1);
globalprotect_get_user_attrs_and_groups(modsslvpn_sysd_if.c:804): query useridd for users: out user attr (user1@bear.com);

globalprotect_get_user_attrs_and_groups(modsslvpn_sysd_if.c:825): query useridd for groups: out group (cn=vpn,ou=vpnou,dc=bear,dc=com);

pan_gp_cfg_get_clientconfig(pan_gp_cfg.c:1298): found user group cn=vpn,ou=vpnou,dc=bear,dc=com
pan_usr_cfg_find_configs(pan_usr_cfg.c:1142): found user attr bear\user1
pan_usr_cfg_hash_find(pan_usr_cfg.c:490): no config found for bear\user1
pan_usr_cfg_find_configs(pan_usr_cfg.c:1142): found user attr user1@bear.com
pan_usr_cfg_hash_find(pan_usr_cfg.c:490): no config found for user1@bear.com

pan_usr_cfg_hash_find(pan_usr_cfg.c:488): config found for cn=vpn,ou=vpnou,dc=bear,dc=com
pan_usr_cfg_find_configs(pan_usr_cfg.c:1157): append config idx vec for user group cn=vpn,ou=vpnou,dc=bear,dc=com
pan_usr_cfg_print_config_idx(pan_usr_cfg.c:899): config_idx is 1

• As for the GlobalProtect App logs on the end user's computer; although GP Portal Agent Config name is not displayed, PanGPA.log will display the details of the configurations in XML format shown in this article in Step 2.

Define the GlobalProtect Agent Configurations