https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-user-id-not-showing-if-connected-to-internal-gw/m-p/598985#M5870 <P>My company only uses the internal gateway detection to turn off gp, when connected to internally.&nbsp; But in any case you should be able to detect the users with the user id agent, if you have it scan the logs of domain controller or a file/print server that everyone uses.&nbsp; I'm not sure why global portect is not logging.&nbsp; You might want to open a ticket, so support can see all the sensitive settings to determine why that isn't being logged.</P> <P>&nbsp;</P> <P>Also there is a privilege escalation vulnerability with 6.2.3 client and older 6.2 releases.&nbsp; <A href="https://www.tenable.com/cve/CVE-2024-5915" target="_blank">https://www.tenable.com/cve/CVE-2024-5915</A> and&nbsp;<A href="https://security.paloaltonetworks.com/CVE-2024-5915" target="_blank">https://security.paloaltonetworks.com/CVE-2024-5915</A>&nbsp; 5.2 on CVSS v4, 7.8 on CVSS v3 and 6.8 on CVSS 2.0.&nbsp; These different cve scales are clear as mud...&nbsp;</P> Fri, 27 Sep 2024 14:48:32 GMT JustinWoodman 2024-09-27T14:48:32Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-user-id-not-showing-if-connected-to-internal-gw/m-p/598956#M5869 <P>Hello all,</P> <P>we have an issue that the User ID is not shown on the Palo if the GP Client is connected to the internal network.</P> <P>The detection is working but in the logs I can't see any user informations of internal connected clients.</P> <P>&nbsp;</P> <P>For our Global Protect Clients we are using pre-auth.</P> <P>Settings for pre-auth and for the User Configs, both the same.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="smindorf_0-1727430224035.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62446iEA1C4C67B72B0E73/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="smindorf_0-1727430224035.png" alt="smindorf_0-1727430224035.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="smindorf_1-1727430278567.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62447i4C90D5DBC3136CBF/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="smindorf_1-1727430278567.png" alt="smindorf_1-1727430278567.png" /></span></P> <P>&nbsp;</P> <P>Authentification is against Active Directory.</P> <P>External we have no problem, all Rules are based on Active Directory groups and it is working.</P> <P>&nbsp;</P> <P>If the User is internal Global Protect shows internal connection. But I can't see any user name in the Palo logs, but I can see connection informations like Username, Application...</P> <P>&nbsp;</P> <P>I' hv also read docs like:</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/best-practices/10-1/user-id-best-practices/user-id-best-practices/user-id-best-practices-for-globalprotect" target="_blank">User-ID Best Practices for GlobalProtect (paloaltonetworks.com)</A></P> <P>&nbsp;</P> <P>but it is not working. Maybe I missed some settings.</P> <P>On the LAN Zone, where the internal clients are connecting to is User ID enabled.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="smindorf_2-1727430625673.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62448i8AB00889B934C8AA/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="smindorf_2-1727430625673.png" alt="smindorf_2-1727430625673.png" /></span></P> <P>Any hints where I can find a solution?</P> <P>&nbsp;</P> <P>Palo Infos:</P> <P>Model PA-3260</P> <P>Software Version 10.2.11-h1</P> <P>GlobalProtect Agent 6.2.3</P> <P>&nbsp;</P> <P>Kind regards,</P> <P>Sören</P> <P>&nbsp;</P> Fri, 27 Sep 2024 09:53:18 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-user-id-not-showing-if-connected-to-internal-gw/m-p/598956#M5869 smindorf 2024-09-27T09:53:18Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-user-id-not-showing-if-connected-to-internal-gw/m-p/598985#M5870 <P>My company only uses the internal gateway detection to turn off gp, when connected to internally.&nbsp; But in any case you should be able to detect the users with the user id agent, if you have it scan the logs of domain controller or a file/print server that everyone uses.&nbsp; I'm not sure why global portect is not logging.&nbsp; You might want to open a ticket, so support can see all the sensitive settings to determine why that isn't being logged.</P> <P>&nbsp;</P> <P>Also there is a privilege escalation vulnerability with 6.2.3 client and older 6.2 releases.&nbsp; <A href="https://www.tenable.com/cve/CVE-2024-5915" target="_blank">https://www.tenable.com/cve/CVE-2024-5915</A> and&nbsp;<A href="https://security.paloaltonetworks.com/CVE-2024-5915" target="_blank">https://security.paloaltonetworks.com/CVE-2024-5915</A>&nbsp; 5.2 on CVSS v4, 7.8 on CVSS v3 and 6.8 on CVSS 2.0.&nbsp; These different cve scales are clear as mud...&nbsp;</P> Fri, 27 Sep 2024 14:48:32 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-user-id-not-showing-if-connected-to-internal-gw/m-p/598985#M5870 JustinWoodman 2024-09-27T14:48:32Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-user-id-not-showing-if-connected-to-internal-gw/m-p/610026#M5983 <P>Hello,</P> <P>we have updated all GP clients. Thanks for the hint.</P> <P>&nbsp;</P> <P>Okay, I've opened a support Ticket and have discussed it.</P> <P>&nbsp;</P> <P>Solution:</P> <P>Add a Gateway on the Internal Interface, too and enable User-ID and minimal configuration.</P> <P>&nbsp;</P> <P>Thank you and Kind regards,</P> <P>Sören&nbsp; Mindorf</P> Mon, 21 Oct 2024 14:48:47 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-user-id-not-showing-if-connected-to-internal-gw/m-p/610026#M5983 smindorf 2024-10-21T14:48:47Z