topic Re: GlobalProtect user mapping not working in General Topics https://live.paloaltonetworks.com/t5/general-topics/globalprotect-user-mapping-not-working/m-p/9263#M6781 <HTML><HEAD></HEAD><BODY><P>Where you configured your GP Gateway, look there and the name for the GP Gateway is probably <SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">vpn.xyz.si-N</SPAN></P><P></P><P>In the lab here we have the following output </P><P>admin@PA-200&gt; show global-protect-gateway current-user</P><P></P><P></P><P>GlobalProtect Gateway: GP_2connect (0 users)</P><P>Tunnel Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : GP_2connect</P><P></P><P>notice the Tunnel Name comes from what I've called the Gateway: Tab&gt;&gt;Network&gt;&gt;Global Protect Gateway as shown below:</P><P></P><P><IMG alt="GP.PNG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5419_GP.PNG" width="450" /></P></BODY></HTML> Tue, 29 Jan 2013 23:33:08 GMT sjamaluddin 2013-01-29T23:33:08Z GlobalProtect user mapping not working https://live.paloaltonetworks.com/t5/general-topics/globalprotect-user-mapping-not-working/m-p/9262#M6780 <HTML><HEAD></HEAD><BODY><P>Hello.</P><P></P><P>We're having problems with user mapping for GlobalProtect users.</P><P>In this case there are 2 users connected to PA device, yet mapping isn't working for either of them: (IPs and names deleted from output)</P><P></P><P>astec@fw1(active)&gt; show global-protect-gateway current-user</P><P></P><P>GlobalProtect Gateway: vpn.xyz.si (2 users)</P><P>Tunnel Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : vpn.xyz.si-N</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Domain-User Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : :user1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Computer&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Client&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Microsoft Windows 7 Professional, 32-bit</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Private IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Public IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ESP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : exist</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : none</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Login Time&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Jan.18 14:16:52</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Logout/Expiration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Jan.19 14:16:52</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TTL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 82156</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Inactivity TTL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2956</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Domain-User Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : :user2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Computer&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Client&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Microsoft Windows 7 Enterprise Edition Service Pack 1, 32-bit</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Private IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Public IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ESP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : exist</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : none</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Login Time&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Jan.18 14:32:23</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Logout/Expiration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Jan.19 14:32:23</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TTL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 83088</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Inactivity TTL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 3949</P><P></P><P></P><P></P><P>astec@fw1(active)&gt;</P><P>astec@fw1(active)&gt; show user ip-user-mapping all type GP</P><P></P><P>IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Vsys&nbsp;&nbsp; From&nbsp;&nbsp;&nbsp; User&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IdleTimeout(s) MaxTimeout(s)</P><P>--------------- ------ ------- -------------------------------- -------------- -------------</P><P>Total: 0 users</P><P></P><P>astec@fw1(active)&gt; </P><P></P><P>We have "Enable User Identification" enabled on both security zones: the one from where GP connections are originating (internet) and the one which is used for GP tunnel (vpn-clients).</P><P>Pan-OS version is 5.0.1, we're also using (agent-less) AD user mapping which is working fine.</P><P>On the above output I notice that tunnel name is vpn.xyz.si-N while we're using tunnel interface tunnel.1 in our configuration. I can't find vpn.xyz.si-N tunnel listed under tunnel interfaces so I don't think it's associated with any security zone.</P><P></P><P>Can you please help us resolving this issue? Can you provide some info where did this new tunnel vpn.xyz.si-N come from?</P><P>Thanx!</P><P></P><P>Best regards, </P><P>Simon</P></BODY></HTML> Fri, 18 Jan 2013 14:43:10 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-user-mapping-not-working/m-p/9262#M6780 santonic 2013-01-18T14:43:10Z Re: GlobalProtect user mapping not working https://live.paloaltonetworks.com/t5/general-topics/globalprotect-user-mapping-not-working/m-p/9263#M6781 <HTML><HEAD></HEAD><BODY><P>Where you configured your GP Gateway, look there and the name for the GP Gateway is probably <SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">vpn.xyz.si-N</SPAN></P><P></P><P>In the lab here we have the following output </P><P>admin@PA-200&gt; show global-protect-gateway current-user</P><P></P><P></P><P>GlobalProtect Gateway: GP_2connect (0 users)</P><P>Tunnel Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : GP_2connect</P><P></P><P>notice the Tunnel Name comes from what I've called the Gateway: Tab&gt;&gt;Network&gt;&gt;Global Protect Gateway as shown below:</P><P></P><P><IMG alt="GP.PNG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5419_GP.PNG" width="450" /></P></BODY></HTML> Tue, 29 Jan 2013 23:33:08 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-user-mapping-not-working/m-p/9263#M6781 sjamaluddin 2013-01-29T23:33:08Z