Global Protect Portal / Gateway Config Selection Criteria not applied for UPN ( e-mail ) format usernames

• User authenticates to GP with username in an e-mail format
• The same e-mail format is used in the GP Portal/Gateway "Config Selection Criteria"
• The user is successfully authenticated but GP presents the "Connection Failed. You are not authorized to connect to GlobalProtect Portal." notification and the user is not connected to the GP Portal
  
• The user is successfully authenticated but GP presents "Connection Failed. Matching client config not found" notification and the user is not connected to the GP Gateway
  

all PanOS releases
all GP releases

After the successful authentication, the firewall normalized the username format to domain\username format. 

If group-mapping or CIE (Cloud Identity Engine) is configured on the firewall, a domain-map should be present on the firewall. All the users are fetched with all the user's attributes specified in group-mapping or CIE config. 

The username format username@domain will be normalized to domain\username format first. Depending on domain-map for the domain is present or not, the domain part will be unchanged as FQDN (example format "mylab.local"), or will be changed to NETBIOS name (example format "mylab"). 

As the next step user's attributes will be checked and "Config Selection Criteria" will be matched based on all the available username's attributes. In case no user's attribute is present, the only username format used for "Config Selction Criteria" will be domain\username format.

In case there are no attributes matching the e-mail format, "Config Selection Criteria" will not be matched for the e-mail username format configured on the GP Portal/Gateway "Config Selection Criteria" list.  

Correct username format has to be used in "Config Selection Criteria". Different formats can be used, depending on the situation. 

For username "username@mylab.local" we can use:
- "mylab.local\username" if no domain-map for "mylab.local" is present on the firewall
- "mylab\username" if domain-map is present for "mylab.local" on the firewall
- any available user's attributes in case domain-map for "mylab.local" is present on the firewall and different user's attributes are present

Useful commands:
- to check domain-map:
debug user-id dump domain-map
- to check user's attributes:
show user user-attributes user <value>

Example behavior for 3 users: 
- tomasz2@mylab.local
- tomasz3@lab.test
- tomasz4@mylab.local

Group mapping is configured on the firewall.
Domain-map is fetched:

Only one user is fetched from the AD (tomasz2@mylab.local). Two other users are not members of the AD. As a result there are user attributes for only one user:


GP Gateway "Config Selection Criteria" is configured as follows:


The results for all 3 users:
- tomasz2@mylab.local
The username is normalized to format "mylab\tomasz2"
Config is matched for 2 username formats "mylab\new_user" and "tomasz2@mylab.local"


- tomasz3@lab.test
As domain-map for lab.test is not present username is normalized to format "lab.test\tomasz2".
"lab.test\tomasz2" is the only user's attribute and the config successfully matched based on that format.


- tomasz4@mylab.local
As domain-map for "mylab.local" is present username is normalized to format "mylab\tomasz4".
No user's attribute is fetched from AD, so "mylab\tomasz4" is the only user's attribute, the config will be checked for.
As expected no config is matched.