Issue with ip-user-mapping in mixed environments of GlobalProte... - Knowledge Base - Palo Alto Networks

Issue with ip-user-mapping in mixed environments of GlobalProtect and user-ID agents.

8372

Created On 06/03/21 18:16 PM - Last Modified 04/30/24 16:14 PM

GlobalProtect Agent

User-ID agent

User Mapping

User-ID

VPNs

8.1

9.0

9.1

10.0

GlobalProtect

PAN-OS

Symptom

The ip-user-mappings for VPN users are intermittently missing on the firewall while GlobalProtect users are still logged in and active, this results in user traffic not matching the intended User-ID and HIP based security policies.
The user-id logs indicate two different sources for the same ip-user-mapping with different timeout values.

Example 1:
User-added image

Example 2:
userid-log

Environment

Any PAN-OS
User-ID agent
GlobalProtect

Cause

The firewall is learning ip-user-mapping for the users from multiple sources, GlobalProtect and user-id agents. The firewall will cache the latest user mapping and timeout value therefore any prior user-mapping entry will be overwritten.

Resolution

To avoid such behavior, it is recommended that the 'IP Pools' used by GlobalProtect be excluded by the user-id agents connected to the Gateway Firewall.

Refer to the links below on how to configure the include/exclude list on the user-id agent:

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)