User Mappings are mapped to the wrong Security Policy when using multiple Attributes
Created On 10/29/20 15:05 PM - Last Modified 03/13/21 00:27 AM
The customer can run into a scenario where the users are mapped to a wrong Security Policy if they have multiple accounts. For instance, users can have a Standard and an Admin account. And, the Standard users are matched to Security Policy for Admin users because of the unique attribute they share.
PAN-OS support Multiple Username Formats. This is configured via user-id attributes. More info here. If you have multiple accounts for the same user, for instance, Standard and Admin accounts:
FW(active)> show user ip-user-mapping all | match 066n 10.161.132.51 vsys2 UIA adm\a-066n 1150 1150 10.110.65.44 vsys2 UIA std\066n 7054 705
And the Standard user std\066n are mapping to a Security Policy for Admin users, this may be because of the unique attribute they have. For instance, the below output shows the Admin account having the same email address as the Standard Account, and thereby the user std\066n is matched with a Security Policy for Admins. You can see that the adm\a-066n is shown as Primary for std\066n.
FW(active)> show user user-attributes user std\066n Primary: adm\a-066n Email: email@example.com Alt User Names: 1) firstname.lastname@example.org 2) std\066n FW(active)> show user user-attributes user adm\a-066n Primary: adm\a-066n Email: email@example.com Alt User Names: 1) firstname.lastname@example.org 2) std\066n
- PAN-OS 8.1 and above.
- Palo Alto Firewalls.
- User ID configured
- Users with multiple accounts with common email or other attributes.
If a user-id attribute is unique, the user will match to a wrong security policy if they have multiple accounts. For instance, the user can have a standard and an admin account. SAMAccountName can be different. They can exist as two different users.
This is expected because of the unique mail attribute.
As a workaround, one can ignore the common attribute between the two users by adding a dummy value or change the attribute in the Active Directory for one of the Users.
For Example, In the above scenario, the mail attribute is configured with "mail1". Adding a dummy value for an attribute will prevent retrieving the values.
Primary Username = sAMAccountName
E-mail = left blank or 'mail1'
Alternate Username 1 = userPrincipalName