https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-mapping-for-users-usings-azure-vpn-gateway-and-azuread/m-p/1234696#M6129 <P>Hi JPope,</P> <P>&nbsp;</P> <P>There is no native support for you scenario.&nbsp; &nbsp;Since you are authenticating via the Azure VPN gateway using Azure Point to site , only azure knows the user to ip mapping and palo is not aware of this.&nbsp; I don't know you Azure landscape but i am assuming you have deployed a hub and spoke topology inside Azure and your palo is inside the HUB.&nbsp; You could deploy a global protect gateway on your palo alto in Azure and user an Azure Application Gateway or External Loadbalancer to publish the global protect portal/gateway out to the internet.</P> <P>And then let you remote user use global protect then you will have all the info you need, of course this would require a redesign of your topology.</P> <P>Another approach is somehow getting the S2SVPN Logs forwarded to your palo alto firewall.&nbsp; &nbsp;The theortical approach would then be don't see any reason why it won't work but i will take time and effort.&nbsp;</P> <P>Azure VPN Gateway<BR />↓&nbsp; enable (Diagnostic logs)<BR />Log Analytics Workspace<BR />↓ (queried by Azure Function)<BR />Azure Function (Python)<BR />↓<BR />Palo Alto Firewall (User-ID XML API)</P> <P>&nbsp;</P> <P>But in short no easy way of doing this.</P> <P>&nbsp;</P> Fri, 25 Jul 2025 13:18:49 GMT F.DeMuyter 2025-07-25T13:18:49Z https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-mapping-for-users-usings-azure-vpn-gateway-and-azuread/m-p/1234372#M6106 <P>Hi All,</P> <P>&nbsp;</P> <P>I have a unique scenario. We have a PA VM Firewall in Azure. We use Azure VPN Gateway to allow users to VPN in if need be (mainly 3rd party support) to get to services on the other side of the FW. The user's credentials authenticate against AzureAD using MFA. I need to know if there is a way to implement UserID, or something similar, that will allow me to set specific policies on which user or group of users has VPNed in using the groups they are in AzureAD.</P> <P>&nbsp;</P> <P>The user accounts are also replicated to on-prem AD, so I don't know if that helps with a solution.</P> <P>&nbsp;</P> <P>Thanks</P> Mon, 21 Jul 2025 16:49:56 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-mapping-for-users-usings-azure-vpn-gateway-and-azuread/m-p/1234372#M6106 JPope_ITG 2025-07-21T16:49:56Z https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-mapping-for-users-usings-azure-vpn-gateway-and-azuread/m-p/1234696#M6129 <P>Hi JPope,</P> <P>&nbsp;</P> <P>There is no native support for you scenario.&nbsp; &nbsp;Since you are authenticating via the Azure VPN gateway using Azure Point to site , only azure knows the user to ip mapping and palo is not aware of this.&nbsp; I don't know you Azure landscape but i am assuming you have deployed a hub and spoke topology inside Azure and your palo is inside the HUB.&nbsp; You could deploy a global protect gateway on your palo alto in Azure and user an Azure Application Gateway or External Loadbalancer to publish the global protect portal/gateway out to the internet.</P> <P>And then let you remote user use global protect then you will have all the info you need, of course this would require a redesign of your topology.</P> <P>Another approach is somehow getting the S2SVPN Logs forwarded to your palo alto firewall.&nbsp; &nbsp;The theortical approach would then be don't see any reason why it won't work but i will take time and effort.&nbsp;</P> <P>Azure VPN Gateway<BR />↓&nbsp; enable (Diagnostic logs)<BR />Log Analytics Workspace<BR />↓ (queried by Azure Function)<BR />Azure Function (Python)<BR />↓<BR />Palo Alto Firewall (User-ID XML API)</P> <P>&nbsp;</P> <P>But in short no easy way of doing this.</P> <P>&nbsp;</P> Fri, 25 Jul 2025 13:18:49 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-mapping-for-users-usings-azure-vpn-gateway-and-azuread/m-p/1234696#M6129 F.DeMuyter 2025-07-25T13:18:49Z