https://live.paloaltonetworks.com/t5/general-topics/traffic-processing-when-user-information-may-be-outdated/m-p/124633#M46345 <P>He wouldn't be able to put a single packet on network cause of duplicate IP address <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>User-ID works on IP to user mapping table. This table is populated either through AD queries, reading AD logs, GP authentication or captive portals. Command "show user ip-user-mapping all" in CLI shows this table. This table is used when mapping users to IP addresses.</P><P>&nbsp;</P><P>Each entry has a sort of time-to-live atribute called timeout. Losing connectivity with AD won't change this table. But eventually AD entries in this table will timeout and users won't be 'recognised' again. Which means rules with user restrictions won't match any more for these users.&nbsp;</P> Mon, 07 Nov 2016 14:02:14 GMT santonic 2016-11-07T14:02:14Z https://live.paloaltonetworks.com/t5/general-topics/traffic-processing-when-user-information-may-be-outdated/m-p/124603#M46338 <P>Hello!</P><P>Could you please expalin what's the default traffic policy&nbsp;when new authentication agent/AD DC info is unavailable for some reason.</P><P>Does&nbsp;the user-based rules get automatically turned off or someting?</P><P>Does the traffic which gets under user-based firewall rules get passed or dropped?</P> Mon, 07 Nov 2016 12:17:52 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-processing-when-user-information-may-be-outdated/m-p/124603#M46338 MilosS 2016-11-07T12:17:52Z https://live.paloaltonetworks.com/t5/general-topics/traffic-processing-when-user-information-may-be-outdated/m-p/124617#M46341 <P>No policies&nbsp;are not changing dynamically. It will use a cache, think it is 45 minutes then your policy wouldn't match and traffic will hit a default deny rule.</P> Mon, 07 Nov 2016 13:12:40 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-processing-when-user-information-may-be-outdated/m-p/124617#M46341 TranceforLife 2016-11-07T13:12:40Z https://live.paloaltonetworks.com/t5/general-topics/traffic-processing-when-user-information-may-be-outdated/m-p/124628#M46342 <P>And what if some villain uses valid user IP to match cache value? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Is there some alert that authentication cache may be outdated?</P> Mon, 07 Nov 2016 13:26:26 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-processing-when-user-information-may-be-outdated/m-p/124628#M46342 MilosS 2016-11-07T13:26:26Z https://live.paloaltonetworks.com/t5/general-topics/traffic-processing-when-user-information-may-be-outdated/m-p/124633#M46345 <P>He wouldn't be able to put a single packet on network cause of duplicate IP address <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>User-ID works on IP to user mapping table. This table is populated either through AD queries, reading AD logs, GP authentication or captive portals. Command "show user ip-user-mapping all" in CLI shows this table. This table is used when mapping users to IP addresses.</P><P>&nbsp;</P><P>Each entry has a sort of time-to-live atribute called timeout. Losing connectivity with AD won't change this table. But eventually AD entries in this table will timeout and users won't be 'recognised' again. Which means rules with user restrictions won't match any more for these users.&nbsp;</P> Mon, 07 Nov 2016 14:02:14 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-processing-when-user-information-may-be-outdated/m-p/124633#M46345 santonic 2016-11-07T14:02:14Z