topic PA User identification in General Topics

PA User identification

minow — Tue, 28 Jan 2014 07:22:59 GMT

How PA decide on user IDs, for example if i have an IP that the user was mapped from UIA, and then a security log in AD map this IP to another user?

or a user that loging with global protect through local DB, and then authenticate to AD, and the PA gets a new mapping from the agent ?

thanks

Re: PA User identification

HULK — Tue, 28 Jan 2014 15:55:58 GMT

Pls go through this document to understand the User-Identification working functionality : User Identification Tech Note - PAN-OS 4.0

Thanks

Re: PA User identification

minow — Wed, 29 Jan 2014 17:49:52 GMT

yes i know how it works but i have a GP user and sometimes the user is changed and sometimes does not

i mean changed from GP to AD, only somtime after a user loging to RDP server, or does the UID service just update the IP-user-mapping regardless the current mapping source?

IP address: x.x.x.x (vsys1)

User: domain\user

From: AD

Idle Timeout: 2692s

Max. TTL: 2689s

Groups that the user belongs to (used in policy)

Group(s):

admin@PA(active)> show user ip-user-mapping ip x.x.x.x

IP address: x.x.x.x (vsys1)

User: domain\user

From: GP

Idle Timeout: 17889s

Max. TTL: 17889s

Groups that the user belongs to (used in policy)

Group(s):

Re: PA User identification

sraghunandan — Wed, 29 Jan 2014 19:56:51 GMT

So an ip gets identified as being mapped from GP and the very same ip changes the source to AD, is that the issue, please let us know.The ip pool given to your GP users are different from your internal users right?

Re: PA User identification

minow — Fri, 31 Jan 2014 10:47:11 GMT

yes, adn the zone of the GP user is defferent

i have read that the the mapping of the user to ip of a GP user is bind to the connection of the client to the GW, so as soon as the user log in/out the mapping created and removed,

can i remote the UID from the zone or exclude the mapping on the GP pool have someone tried that?