How to Configure User Identification Timeout for PAN-OS integrated User-ID agent
72236
Created On 11/18/19 03:12 AM - Last Modified 11/18/19 03:23 AM
Objective
- The PAN-OS integrated User-ID agent or Agentless user-id setup performs the same tasks as the Windows-based agent with the exception of NetBIOS client probing (WMI probing is supported)
- This document explains how to configure cache timeout for user mapping to ensure that the firewall has the most current user mapping information
Environment
- PAN-OS Firewall
- Agentless user-id setup or PAN-OS integrated User-ID agent
Procedure
- Navigate to Device --> User Identification
- Click on "User Mapping" Tab
- Click on "Edit" in section "Palo Alto Networks User-ID Agent Setup"
- Click on tab "Cache"
- Check the option "Enable User Identification Timeout". This option will enable a timeout value for user mapping entries on the firewall. Once the timeout clue is reached for an user-ip mapping, Firewall will clear the mapping and collect a new mapping.
- Change the value in option "User Identification Timeout" to set a required timeout value. The timeout value is in minutes. Default value for this option is 45 and maximum value is 1440
- Click on Commit
- We can make this changes from CLI too. With the below command we can enable or disable the User Identification Timeout
- Below command can be used from CLI to change the user-ip mapping timeout value
Additional Information
Please refer the below link which explains how to achieve the same objective in Windows based user-id agent.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZzCAK