https://live.paloaltonetworks.com/t5/general-topics/pan-os-11-1-user-id-policy-bloc-groups/m-p/1235254#M124887 <P>User-ID agent is working, but security policies are not. This is a common issue, and the problem is likely in your policy configuration, not the User-ID agent itself.</P> <P>Primary Fixes to Check:</P> <OL start="1"> <LI> <P>Policy Order: Your specific "allow group" policy must be placed above any broad "allow all users" policy. The firewall processes policies from top to bottom.</P> </LI> <LI> <P>Group Mapping: Even if user-to-IP mapping works, the group membership might not be. Go to Device &gt; User Identification &gt; Group Mapping Settings and confirm the group you're using in your policy is included and syncing correctly.</P> </LI> <LI> <P>Source Zone: Ensure the source zone in your policy has "User Identification" enabled.</P> </LI> <LI> <P>Commit: Always remember to commit your changes for them to take effect.</P> </LI> </OL> <P>It's highly probable the issue is with the policy order, which is the most frequent cause of this behavior.</P> Sun, 03 Aug 2025 17:23:23 GMT Mudhireddy 2025-08-03T17:23:23Z https://live.paloaltonetworks.com/t5/general-topics/pan-os-11-1-user-id-policy-bloc-groups/m-p/1235247#M124886 <P>Hi Paloalto 11.1, user ID agent configured, it's pulling users with ip.&nbsp;</P> <P>But using policy to block or allow the internet is not working</P> <P>It blocks all users; if all domain users are allowed, the internet will be allowed. If a particular group is selected to enable through policy, it is blocked. I can see users in the user ID section and logs.</P> <P>&nbsp;</P> <P>Please advise&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 03 Aug 2025 12:32:53 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-os-11-1-user-id-policy-bloc-groups/m-p/1235247#M124886 V.John 2025-08-03T12:32:53Z https://live.paloaltonetworks.com/t5/general-topics/pan-os-11-1-user-id-policy-bloc-groups/m-p/1235254#M124887 <P>User-ID agent is working, but security policies are not. This is a common issue, and the problem is likely in your policy configuration, not the User-ID agent itself.</P> <P>Primary Fixes to Check:</P> <OL start="1"> <LI> <P>Policy Order: Your specific "allow group" policy must be placed above any broad "allow all users" policy. The firewall processes policies from top to bottom.</P> </LI> <LI> <P>Group Mapping: Even if user-to-IP mapping works, the group membership might not be. Go to Device &gt; User Identification &gt; Group Mapping Settings and confirm the group you're using in your policy is included and syncing correctly.</P> </LI> <LI> <P>Source Zone: Ensure the source zone in your policy has "User Identification" enabled.</P> </LI> <LI> <P>Commit: Always remember to commit your changes for them to take effect.</P> </LI> </OL> <P>It's highly probable the issue is with the policy order, which is the most frequent cause of this behavior.</P> Sun, 03 Aug 2025 17:23:23 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-os-11-1-user-id-policy-bloc-groups/m-p/1235254#M124887 Mudhireddy 2025-08-03T17:23:23Z