Same user is learnt via GlobalProtect Gateway and the User ID Agent

Same user is learnt via GlobalProtect Gateway and the User ID Agent

389
Created On 04/25/22 18:03 PM - Last Modified 10/17/25 20:25 PM


Symptom


  • User is not hitting the correct user-based Security Policy when using GlobalProtect.
  • When GP is used by the user, we can see that the Firewall learns the user-ip-mapping (same IP) from both the GP and UIA:
> show user ip-user-mapping-mp all | match <username>

10.10.10.x vsys1 (User-ID Hub) UIA domain\<username> 2659
10.10.10.x vsys3 GP otherdomain\<username> 10799 

Environment


  • GlobalProtect (GP) Gateway
  • User-ID Agent (UIA)
  • Supported PAN-OS

Cause


  • The firewall always uses the latest (most recent) IP-to-user mapping it receives when multiple sources provide the same information.
  • This mapping is used until its expiration time. 
> show user ip-user-mapping ip 10.10.10.x
IP address: 10.10.10.x (vsys1(User-ID Hub)) User: domain\<username> From: UIA Idle Timeout: 2582s Max. TTL: 2582s HIP Query: Disabled Group(s): domain\<username>(85929)

Resolution


  1. Exclude the GlobalProtect Client IP Pools from the User-ID Agent.
  2. Refer to the steps in the knowledge article GlobalProtect users losing network access some minutes after being connected.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OIXCA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail