Duplicate IP User Mapping After Upgrading to PAN-OS 8.1 or Above
Symptom
In some cases, you could see that the ip-user-mapping could get duplicated after upgrading toPAN-OS 8.1 or above.
> show user ip-user-mapping all option detail | match user1
User: domain\adm_user1 <<<<
Group(s): domain\user1(147) <<<
Expected/Working condition:
> show user ip-user-mapping all | match user1
10.1.1.100 vsys1 UIA domain\user1 5094 5094
Incorrect mapping:
> show user ip-user-mapping all | match user1
10.1.1.100 vsys1 UIA domain\adm_user1 5094 5094
From the above example the IP is being mapped to adm_user1 instead of the expected user "user1" which is what you intend to see and is the right mapping.
Environment
- Palo Alto Firewall.
- PAN-OS 8.1, 9.0 and 9.1
- User ID
Cause
In such cases, it is good to check if the two usernames seen are indeed the same users and that if the sAmmaccountName share is the same email address attribute. For example, this is true if adm_user1 and user1 share the same email address attribute.
If it is indeed the case, then it is expected to see this behavior. This is due to a User-ID normalization feature introduced in PAN-OS 8.1.x. If multiple users have the same email value, then all attributes of group mapping are not unique.
What if the user exists as primary user as well as secondary attribute? This is because upon upgrade the "E-Mail" attribute is added as secondary attribute.
When the email address is not unique, this results in unexpected behavior (the user attribute is considered as the primary and sometimes considered as secondary).
Resolution
Make sure all unique users have unique email addresses if using "E-Mail" as an attribute. If the email attribute is not being used as a primary attribute, add "maildummy1" dummy for email attribute. This will not fetch an email from AD and will not map different users to same user.
Here's an example:
Additional Information
Note: This information is not applicable to PAN-OS 10.0 and above.