Panorama GROUP MAPPING - How to show AD groups in Panorama policies
ฝัง
- เผยแพร่เมื่อ 11 ก.ย. 2024
- In this video I will show you how to automatically synchronize your Active Directory groups to Palo Alto Panorama Policies. Whenever you create new policies, such as security rules, you will be able to select the AD groups in the field Source User instead of having to type or paste their Distinguished Names.
#paloaltonetworks #paloaltofirewall #firewall #panorama
** Link to FREE CLI Cheat Sheet and other resources **
netsums.com/re...
🔥 Join our exclusive online training: "Mastering Palo Alto Firewalls: Comprehensive Training in Operation and Management." 🚀 Prepare confidently for the PCNSA exam with expert guidance and hands-on exercises. Reserve your spot now and benefit from Early Bird discounts and bonusses! 💻 Learn more and register at netsums.com/training
Can't thank-you enough...your clear instructions make this a breeze....
You're welcome, I'm glad you could get some value from the video. :-)
You are a legend my friend. Love it! Please keep up the good work and your happy self 😁
Thank you so much for the nice comment! I'm glad you liked the video. :-)
Very direct and straightforward...thanks
I'm happy you liked the video. :)
FREE Palo Alto Cheat Sheet in different formats and further FREE resources: netsums.com/resources
Thank you. It helps to refresh the knowledge.
You are welcome. Thank you for the comment. :-)
Hello, Admin. Following your configuration, I've set up LDAP, and the policy configuration works fine. However, the traffic and User ID are showing users instead of groups. Could it be because the User ID Agent is installed, preventing the display of groups?
Groups are not displayed in the traffic logs, only users. In order to know if a user is member of a set of groups, you need to go to the CLI and enter the commands "show user user-ids all", or "show user group name "
@@netsums Thank you, Admin, for your response. I appreciate your hard work.😀
@@netsums I apologize, but may I ask you one more question? If LDAP is configured on Palo Alto, will the User ID Agent also retrieve the information?
LDAP is used for authentication and group mapping. The user ID agent does the mapping from an IP address to a username. They do different things.
excellent
Thank you, I'm glad you liked it
in my case that wasn't enough.... i had to enable "Enable reporting and filtering on groups" under Panorama > Setup > Management > Panorama Settings and "Store users and groups from the master device if reporting and filtering of groups is enabled in Panorama settings" under Panorama > Device Groups >
Okay, I didn't have to enable these options in my lab. But thanks letting us know! ! Probably you will be able to help other people. :-) What version are you running?
@@netsums the version is 10.1.11-h5
Awesome, for me was the same, thanks
@@netsums the problem was that you configured LDAP and user ID mapping on panorama, under the specific template, pushed to the fw, and then you try to create a rule in the fw itself (it is show in the video that you are in the FW, not in panorama), and that is why you see the groups there, Try to create a sec rule from panorama, you will no see the groups
I had to enable "Enable reporting and filtering on groups" under Panorama > Setup > Management > Panorama Settings and "Store users and groups from the master device if reporting and filtering of groups is enabled in Panorama settings" under Panorama > Device Groups >
The video is a little old, but I took a look at it again. On minute 6:21 I start adding a new security rule in Panorama, and it does show the Active Directory groups. That's what you meant, right? Or did I misunderstand the problem? :-)