All about User-ID domain map

All about User-ID domain map

Created On 09/25/18 17:27 PM - Last Modified 11/07/20 01:16 AM

  • PAN-OS 7.1 and above.
  • Palo Alto Firewall.
  • User-ID configuration.



 You should have a working knowledge of:

  Active Directory
  User-id feature on the Palo Alto Networks firewall


Components Used

The information in this document is based on these software and hardware versions:

  Palo Alto Networks VM firewall running PANOS 7.1
  Active Directory Services running on Microsoft 2012 r2 server, configured as a Domain controller


The information in this document was created from the devices in a specific lab environment.
If your network is live, make sure that you understand the potential impact of any command.


Palo Alto Networks firewall uses the domain map to store the fully qualified active directory domain name (fqdn) and its equivalent netbios domain (netbios name).

It's used to normalize or convert the username and groupnames from FQDN to their corresponding netbios domain name format.

For example, consider the domain '' as the fqdn, then its equivalent netbios domain name is 'paloaltonetworks'


In an active directory environment a user which is a member of this domain will have its username as paloaltonetworks\username.



 Let us take a deeper look as to how the firewall retrievesthe netbios domain name from active directory domain controllers, populate the domain map and then use it for conversion of fqdn to netbios name.


For the sake of simplicity and ease of illustration we'll break the work flow into three phases.



  • PHASE 1   Retrieving the netbios domain name 


Firewall sends the request for the netbiosname domain name while sending the LDAP partition query during LDAP refresh , populates it’s domain map and writes this entry into the file


Fetched through 389/636 LDAP connection (not Global Catalog one's - 3268 or 3269)

All Domain Controllers should have this info 


Location: LDAP://CN=Partitions,CN=Configuration,DC=<DomainName>,

ADSI Edit: Connect to "Configurations“ (ADSI - Active Directory Service Interfaces)



Here's the LDAP partition query response from the active directory domain controller to the firewall showing the :

Target of the query - CN=Partitions,CN=Configuration,DC=test,DC=kunaldc,DC=com 

FQDN - ''

Netbios domain name - 'test' 





  • PHASE 2    Storing the netbios domain name 


The  file which contains the fqdn and it's netbios domain name is stored internally in the linux based directory structure on the firewall


You can view the domain-map from the command line of the firewall using 'debug user-id dump domain-map'


domain map.JPG


The domain map persists a device reload, even when you’ve deleted the group mapping profile for a respective domain


Along with this any netbios domain name once learnt on the firewall continues to persist unless explicitly removed via the cli command ‘debug user-id clear domain-map’



  • PHASE 3   Apply the netbios domain name to user groups and members of these groups 


The objective of the netbios name is to 


1.   Convert 'fqdn\username' formats to netbios domain name i.e. 'netbios\username' format

   Eg: Username test is a member of the active directory domain ''
          It's fqdn name format is '\testuser' 


Once the firewall learns about the netbios name of the active directory domain then it will convert all the fqdn username format to netbios name formats 




Hence the fqdn username format of '\testuser'  is converted to 'test\testuser'


2.   Normalize the groups from full dn to short name format

In absence of the domain maps all AD groups are recognized in their full domain name format


A group named sme_group  whose full dn name format is
'cn=sme_group, ou=tier2,ou=networking,ou=apac,ou=tac2,dc=test,,dc=com'  is converted into  'test\sme_group'

Simialrly, the user which is a member of sme_group and the active directory domain '' is also transformed from '\testuser' to 'test\testuser'







1.  PAN firewall applies the normalization on the users retrieved from ip-user mapping mechanisms (using methods such as - userid agent, agentless, syslog,xmlapi etc) as well as the users retrieved from active directory domain controllers using LDAP 

user mapping 2.JPG


2.  Domain map is not synchronized between the active and passive firewalls in an Active-Passive HA setup
The passive device must at some point serve as an active device in the HA in order to connect to the active directory server to fetch the netbios domain name via the ldap partition query 

Additional Information
For related issues with Group Mapping in a Multi Domain ADDS. please reference the following article:
How to Configure Group-Mapping in a Multi-Domain Active Directory Domain Services (AD DS) Forest

  • Print
  • Copy Link

Choose Language