Hi Rock,

Sure.

I'm attaching the pictures with the rules and logs.

I've tested with the rule above IA permitting all the traffic and it works fine. However if I add the role object - it stops working.

Not sure in that case, may need more testing, maybe contact TAC and see if they can do remote session. Personally, I would just make sure user is included in right access role group and maybe do tcpdump and/or fw monitor as well to test traffic.

Also, maybe run some pdp commands to see the state:

adlog a dc

pdp monitor ip x.x.x.x

pdp monitor user xxxxx

Hope that helps.

Thank you for sharing useful commands.

AD queries are working fine.

I've raised a TAC.

Hopefully support can fix it.

It doesn't look like your user has assumed the defined role. You can check from logs by running filter

blade:"Identity Awareness" AND action:"Log In" AND src:x.x.x.x

change x.x.x.x to users IP of course

then you should see what roles are associated with this IP:

Thats actually an EXCELLENT point! I totally forgot about it, but I agree that if thats wrong, the rule would not work.

Thank you for the advice.

That's interesting!

I've found the logs with failed login and error:

"Failed to get users groups for the domain.
Verify that this domain name is configured in your LDAP Account Unit."

Looks like I've chosen the wrong domain.

I'll check the settings an let you know.

Please let us know if you can correct that, I am 99% sure that is the issue. Big thanks to @Kaspars_Zibarts for pointing that out!!

Hello,

Have you solve this issue, we have the same issue