https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-without-ldap-across-an-enterprise/m-p/568687#M114751 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/306035">@PA_nts</a> ,</P> <P>&nbsp;</P> <P>The following DOC describes the different methods of user mapping:</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/user-id-concepts/user-mapping" target="_blank">https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/user-id-concepts/user-mapping</A></P> <P>&nbsp;</P> <P>Hope this helps,</P> <P>-Kim.</P> Wed, 06 Dec 2023 14:08:29 GMT kiwi 2023-12-06T14:08:29Z https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-without-ldap-across-an-enterprise/m-p/567772#M114650 <P>Hi All,</P> <P>&nbsp;</P> <P>not having the best day with thinking <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>&nbsp;</P> <P>Palo Alto Scenario:</P> <P>&nbsp;</P> <P>PA FW CLuster in HQ<BR />Panorama Log Collector only in HQ<BR />Standalone PA FW in SiteA<BR />Standalone PA FW in SiteB<BR />Standalone PA FW in SiteC<BR />Standalone PA FW in SiteD</P> <P>&nbsp;</P> <P>No Panorama mgmt in place. All Sites have L3 connectivity back to HQ</P> <P><BR />FWs are configured to send logs to log collector in HQ</P> <P>Note: OS are a mix of Windows / Linux / MacOS / Android and IOS<BR />Not all users are AD users as we have byod / guests also. (else would have done ldap integration or similar)</P> <P>&nbsp;</P> <P>Goal - to be able to use security rules based on user-id / security groups rather than IPs accross all FWs</P> <P>In your opinion, What is the best solution for something like this.</P> <P>&nbsp;</P> <P>Global protect on FW cluster in HQ? <BR />if so we should be able to define user based access groups in the rules on FWs in the Sites? how would the FWS at the sites identify the users?<BR /><BR />Captive Portal on FW cluster in HQ?<BR />again - if so we should be able to define user based access groups in the rules on FWs in the Sites? how would the FWS at the sites identify the users?<BR /><BR />Any other options perhaps?<BR />thanks in adv</P> Thu, 30 Nov 2023 13:35:07 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-without-ldap-across-an-enterprise/m-p/567772#M114650 PA_nts 2023-11-30T13:35:07Z https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-without-ldap-across-an-enterprise/m-p/568687#M114751 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/306035">@PA_nts</a> ,</P> <P>&nbsp;</P> <P>The following DOC describes the different methods of user mapping:</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/user-id-concepts/user-mapping" target="_blank">https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/user-id-concepts/user-mapping</A></P> <P>&nbsp;</P> <P>Hope this helps,</P> <P>-Kim.</P> Wed, 06 Dec 2023 14:08:29 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-without-ldap-across-an-enterprise/m-p/568687#M114751 kiwi 2023-12-06T14:08:29Z https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-without-ldap-across-an-enterprise/m-p/568939#M114786 <P>Hello,</P> <P>What I have are user-id agents on windows servers to grab active-directory logs, you can always use agentless. You can have all your PAN's connect directly to the user agents, or you can distribute the info from one PAN to others. I dont recommend client probing as this leaves the clients vulnerable to other things.&nbsp;</P> <P>&nbsp;</P> <P>Regards,</P> Thu, 07 Dec 2023 20:12:27 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-without-ldap-across-an-enterprise/m-p/568939#M114786 OtakarKlier 2023-12-07T20:12:27Z https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-without-ldap-across-an-enterprise/m-p/1250570#M126165 <P>He also asked about group mapping without LDAP. If I'm not mistaken, group mapping is only available with an LDAP server profile: "<SPAN>Use the following procedure to enable the firewall to connect to your LDAP directory and retrieve&nbsp;</SPAN><A class="xref" title="" href="https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/11-0/pan-os-admin/user-id/user-id-concepts/group-mapping.html#id93306080-fd9b-4f1b-96a6-4bfe1c8e69df" data-type="" data-format="dita" data-scope="local" target="_blank">Group Mapping</A><SPAN>&nbsp;information."</SPAN></P> <P><SPAN><A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/map-users-to-groups" target="_blank">https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/map-users-to-groups</A></SPAN></P> <P><SPAN>If not, I'm happy to hear another way. I'm currently looking for a workaround.</SPAN></P> <P><SPAN>BR</SPAN></P> Thu, 19 Mar 2026 15:43:27 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-without-ldap-across-an-enterprise/m-p/1250570#M126165 J.Dhling 2026-03-19T15:43:27Z