https://live.paloaltonetworks.com/t5/general-topics/policy-with-user-id-don-t-work-in-palo-alto-networks/m-p/178950#M55609 <P>hello ,</P><P>&nbsp;</P><P>the identification is enable on your zones ?</P><P>DEvice&gt;network&gt;zone&gt; check the box "enable identification" in zone parameters</P><P>&nbsp;</P> Wed, 27 Sep 2017 13:09:31 GMT alle 2017-09-27T13:09:31Z https://live.paloaltonetworks.com/t5/general-topics/policy-with-user-id-don-t-work-in-palo-alto-networks/m-p/178916#M55606 <P>Hello,</P><P>&nbsp;</P><P>I have configured the users in the office to be identify with Active Directory. I can see the users identification in the Monitor tab. But when i set a rule with user AD identifier don't work!</P><P>&nbsp;</P><P>I add two rules :</P><P>&nbsp;</P><P>rule 1: deny access for a specific AD users to social networks</P><P>rule 2: allow access to any users&nbsp; (internet access).</P><P>&nbsp;</P><P>The first rulee always don't take effect . I saw the users always access to all sites with the second rule.</P><P>&nbsp;</P><P>There is any suggestion please .&nbsp;</P><P>&nbsp;</P><P>Thank you for help.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 27 Sep 2017 09:57:53 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-with-user-id-don-t-work-in-palo-alto-networks/m-p/178916#M55606 ra7oub4 2017-09-27T09:57:53Z https://live.paloaltonetworks.com/t5/general-topics/policy-with-user-id-don-t-work-in-palo-alto-networks/m-p/178941#M55608 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/73583">@ra7oub4</a>,</P> <P>&nbsp;</P> <P>Can you add more details about&nbsp;how the rules are configured and how the firewall is logging the actual sessions ?</P> <P>&nbsp;</P> <P>Cheers !</P> <P>-Kiwi.</P> Wed, 27 Sep 2017 11:35:43 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-with-user-id-don-t-work-in-palo-alto-networks/m-p/178941#M55608 kiwi 2017-09-27T11:35:43Z https://live.paloaltonetworks.com/t5/general-topics/policy-with-user-id-don-t-work-in-palo-alto-networks/m-p/178950#M55609 <P>hello ,</P><P>&nbsp;</P><P>the identification is enable on your zones ?</P><P>DEvice&gt;network&gt;zone&gt; check the box "enable identification" in zone parameters</P><P>&nbsp;</P> Wed, 27 Sep 2017 13:09:31 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-with-user-id-don-t-work-in-palo-alto-networks/m-p/178950#M55609 alle 2017-09-27T13:09:31Z https://live.paloaltonetworks.com/t5/general-topics/policy-with-user-id-don-t-work-in-palo-alto-networks/m-p/178962#M55615 <P>Click on mag glass and see what is session end reason.</P><P>Also go to URL filter log and see what action is for those users accessing unwanted sites.</P> Wed, 27 Sep 2017 13:55:31 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-with-user-id-don-t-work-in-palo-alto-networks/m-p/178962#M55615 Raido_Rattameister 2017-09-27T13:55:31Z https://live.paloaltonetworks.com/t5/general-topics/policy-with-user-id-don-t-work-in-palo-alto-networks/m-p/178964#M55616 <P>from CLI.</P><P>&nbsp;</P><P>show user group list</P><P>&nbsp;</P><P>copy the fqdn for the restricted group.</P><P>&nbsp;</P><P>show user group name "paste fqdn"&nbsp;&nbsp; (use quotes if fqdn has spaces)</P><P>&nbsp;</P><P>scroll down to ensure users are in that group and ensue domain\ is same as username in policy.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 27 Sep 2017 14:20:56 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-with-user-id-don-t-work-in-palo-alto-networks/m-p/178964#M55616 Mick_Ball 2017-09-27T14:20:56Z https://live.paloaltonetworks.com/t5/general-topics/policy-with-user-id-don-t-work-in-palo-alto-networks/m-p/178965#M55617 <P>To identify user's group membership it is easier to use following command:</P><P>&gt; show user user-ids match-user raido</P> Wed, 27 Sep 2017 14:23:44 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-with-user-id-don-t-work-in-palo-alto-networks/m-p/178965#M55617 Raido_Rattameister 2017-09-27T14:23:44Z https://live.paloaltonetworks.com/t5/general-topics/policy-with-user-id-don-t-work-in-palo-alto-networks/m-p/178967#M55618 <P>Noted...&nbsp;&nbsp;&nbsp; thankyou.</P> Wed, 27 Sep 2017 14:28:56 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-with-user-id-don-t-work-in-palo-alto-networks/m-p/178967#M55618 Mick_Ball 2017-09-27T14:28:56Z https://live.paloaltonetworks.com/t5/general-topics/policy-with-user-id-don-t-work-in-palo-alto-networks/m-p/179189#M55649 <P>Hello,</P><P>&nbsp;</P><P>Thank you very much for your helps.</P><P>&nbsp;</P><P>The problem is solved .</P><P>&nbsp;</P><P>&nbsp;</P><P>Thank you very much for all your response.</P> Thu, 28 Sep 2017 15:26:49 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-with-user-id-don-t-work-in-palo-alto-networks/m-p/179189#M55649 ra7oub4 2017-09-28T15:26:49Z