Groups not Pulled on the Palo Alto Networks Firewall after Adding a User-ID Agent

Groups not Pulled on the Palo Alto Networks Firewall after Adding a User-ID Agent

35961
Created On 09/27/18 07:01 AM - Last Modified 10/08/20 20:55 PM


Resolution

Symptom

Groups do not show up on the CLI and the web UI of the Palo Alto Networks firewall. The LDAP server profile is configured and used for Group Mapping (Device > User Identification > Group Mapping Settings). Proper connectivity to the LDAP server is verified by expanding the groups under the Group Include List:

User-added image

 

Cause

If a User-ID Agent is configured to be used as an LDAP Proxy (Device > User Identification > User-ID-Agents) and an LDAP server profile is also used, then the groups may not be pulled on the Palo Alto Networks firewall.

User-added image

 

Resolution

Uncheck the "Use as LDAP Proxy" option and perform a commit.
User-added image

 

When the commit operation completes, run one of the following commands on the CLI to verify that the groups are being pulled:

  • > show user group-mapping state all
  • > show user group-mapping statistics


Note: The User-ID software agent 4.1 and above does not have settings to gather group information within the software agent. To Proxy LDAP group information, configure the LDAP Profile and the Group Mapping settings on the firewall and check the "Use as LDAP Proxy" option.

For more information, review this document on Group Mapping  How to Configure Group Mapping settings? and this document on LDAP Profile How to Configure LDAP Server Profile

 

owner: shasnain



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000Cm7e&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language