Issue with ip-user-mapping in mixed environments of GlobalProtect and user-ID agents.

Issue with ip-user-mapping in mixed environments of GlobalProtect and user-ID agents.

5951
Created On 06/03/21 18:16 PM - Last Modified 04/30/24 16:14 PM


Symptom


  • The ip-user-mappings for VPN users are intermittently missing on the firewall while GlobalProtect users are still logged in and active, this results in user traffic not matching the intended User-ID and HIP based security policies.
  • The user-id logs indicate two different sources for the same ip-user-mapping with different timeout values. 
Example 1: 
User-added image
Example 2:
userid-log
 

Environment


  • Any PAN-OS
  • User-ID agent
  • GlobalProtect

Cause


The firewall is learning ip-user-mapping for the users from multiple sources, GlobalProtect and user-id agents. The firewall will cache the latest user mapping and timeout value therefore any prior user-mapping entry will be overwritten.

Resolution


To avoid such behavior, it is recommended that the 'IP Pools' used by GlobalProtect be excluded by the user-id agents connected to the Gateway Firewall.

Refer to the links below on how to configure the include/exclude list on the user-id agent:

Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VYFCA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language