User is intermittently not able to access certain resource over GlobalProtect

• Intermittent issues in accessing a resource over GP. This resource access is allowed through a User-ID based Security Rule.
• GlobalProtect is used for User-IP mapping learning. Other User-ID source/s are also configured for User-IP mapping; for ex: Windows based userID agent, XMLAPI etc.
• When user/user group is removed from security rule, the issue is not seen.
• Re-submitting HIP profile resolves the issue. HIP profile is submitted every hour by default which will also automatically resolve the issue after some time.
• At the time of issue "show user ip-user-mapping ip <globalprotect_client_IP>" shows "Unknown" user:

• In the User-ID logs, we see following:

According to these logs, GP user: pantac\paloalto logged into GP at 04/20 19:31. Just after that another login event for the same IP is learnt through XMLAPI. Notice the timeout value changed from 10800 to 2700 sec due to XMLAPI login event.

NOTE: XMLAPI has been used for demonstration purpose. Issue is more likely to happen when windows based UserID agent (or PanOS integrated agent) is configured which has ability to read session/security logs. For ex: if a user logs into GP and then accesses an internal resource such as printer which generates a security event on the AD, the UserID agent will read it and forward to firewall. This will overwrite the existing GP learnt User-IP mapping.

• In traffic logs, we see the "source user" is lost and the traffic started matching a deny rule. This may not be apparent in customer environment as session logging is disabled on default deny policy. In that case a gap in traffic logs will be seen for the specific source IP.

• Palo Alto Firewall
• GlobalProtect
• User-ID

• The issue occurred because of the user identification timeout; 2700 sec (45 min) in this scenario. This is also the default timeout set in User-ID agent setups.
• GP HIP profile submission happens every hour and refreshes the User-IP mapping on firewall however because the User-IP mapping was overwritten by XMLAPI, the timeout was reset to 45 minutes. After 45 minutes the mapping was cleared and since the next HIP profile has not yet been submitted, the GP user will not hit expected security policy.

• Increase User identification timeout to at least 1 hour so that it guarantees that the the GP agent will be able to submit HIP profile before firewall drops the cache.
• Note: User Identification timeout is subject to fine tuning. In a fairly static office environment, It could be safe to have this timeout set to 600+ minutes, as the default kerberos user ticket lifetime is 10 hours. In a very dynamic environment with many users sharing workstations, it may be more beneficial to set the timeout to a shorter period. 

• One additional resolution is to exclude the GlobalProtect ip address pool for the User-id user mapping. 

• How to increase on windows based userID agent: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZzCAK