Scenario
A Palo Alto Networks firewall (PA-1) is configured as a GlobalProtect Gateway and as a User-ID redistribution device.
Another Palo Alto Networks firewall (PA-2) is configured to retrieve IP-mapping information from PA-1.
Symptom
When a user (testuser) connects to the GlobalProtect Gateway, the From value in the IP-user mapping on PA-1 shows GP. However, on PA-2, the From value on PA-2 shows UIA.
admin@PA-1> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------- ------ ------ -------------- -------------- -------------
1.1.1.1 vsys1 GP testuser 8410 8410
admin@PA-2> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------- ------ ------ -------------- -------------- -------------
1.1.1.1 vsys1 UIA testuser 2926 2926
Cause
When a Palo Alto Networks firewall acts as a redistribution device (collector), it acts as a User-ID Agent to the other Palo Alto Networks firewalls. Therefore, only PA-1 will see the user as GlobalProtect (GP) user. All firewalls that retrieves the IP-user mapping from PA-1 will see all users as User-ID Agent (UIA) users, including those that connect to PA-1 from GlobalProtect.
owner: sberti