topic Does GlobalProtect refresh USER-ID bindings mid session? in General Topics

Does GlobalProtect refresh USER-ID bindings mid session?

Kieran_Drain — Fri, 25 Oct 2019 13:19:52 GMT

The GlobalProtect section of the Admin guide for PAN-OS 8 says the following:

For mobile or roaming users, the GlobalProtect client provides the user mapping information to the firewall directly. In this case, every GlobalProtect user has an agent or app running on the client that requires the user to enter login credentials for VPN access to the firewall. This login information is then added to the User-ID user mapping table on the firewall for visibility and user-based security policy enforcement. Because GlobalProtect users must authenticate to gain access to the network, the IP address-to-username mapping is explicitly known.

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect

The USER-ID binding cache is set to expire every 45 minutes. Assuming that client probing is not in use but the Palo Alto GlobalProtect client is being used as a remote access VPN. When a user logs in the timer resets. Will the GlobalProtect agent update the USER-ID cache proactively on the firewall or at regular intervals to prevent the USER-ID binding being lost or will the cache simply be cleared after 45 minutes provided no other login events are detected?

Re: Does GlobalProtect refresh USER-ID bindings mid session?

jdelio — Fri, 25 Oct 2019 17:12:50 GMT

It should be just as you wrote.

The User-ID times out after 45 minutes of inactivity, that is, there is no action by that user/IP, and it will drop off the list until there is more activity by that user/IP. As soon as they are active again, then the User-ID information will be re-populated again.

Re: Does GlobalProtect refresh USER-ID bindings mid session?

Kieran_Drain — Mon, 28 Oct 2019 08:14:11 GMT

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWjCAK

This article suggests that even if active the USER-ID will revert to an Unknown state when the timer expires. I am looking to know when the GlobalProect client updates the USER-ID Cache. If it only does it at login then the user will experience possible issues until they re-log in to the VPN.

What I'm asking is when does the GlobalProtect client refresh the USER-ID binding.

Re: Does GlobalProtect refresh USER-ID bindings mid session?

jmora — Sat, 25 Sep 2021 20:55:08 GMT

This is the true answer but a chunk of it so go to the link that I posted under this clarification:

The following is an example of a scenario when a user may become "Unknown" to the Palo Alto Networks firewall:

A user logs in at Time0 (T0), the User-ID Agent sees the login in the AD security log and maps the IP to the user. The entry is sent to the firewall and it also creates an entry with the same lifetime (MaxTimeout) as the UIDAgent
30 minutes later (T0 + 30), the user sends data through the firewall. User is still identified.
14 minutes later (T0 + 44), the user sends more data. The user still has an active mapping.
2 minutes later (T1 = T0 + 46), the mapping on the agent ages out, and the removal is communicated to the firewall. Mapping is deleted on the firewall.
58 minutes later (T1 + 58), the user sends more data. The cache on the firewall was expired, so it requests an IP mapping from the agent but receives "Unknown" user

Note: This user will remain "Unknown" until :

- the user logs back into the domain
- a positive security audit log is picked up by the UIDAgent
- a wmi/netbios probe positively identifies the user

Note: If WMI probing is not used, then increase the user identification timeout to 600 minutes (either on the firewall or User ID Agent)

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWjCAK