topic Re: User-Id Mapping / Ignore user list in General Topics

User-Id Mapping / Ignore user list

RobertNagy — Tue, 02 Feb 2021 23:49:40 GMT

Hello,

I am running into an issue with Global Protect users due to remoting into other machines with other credentials. I have read extensive articles about the issue and understand that the firewall can only map one user name to an IP. That appears to be exactly what is happening., A user logs in and has internal connectivity, then logs into an RDP session. After logout that user has no connectivity due to the mapping being retained to the admin or service account. From what I gather, I need to exclude those accounts from user mapping. My uncertainty is in our setup. Our internal firewall has a server monitoring setup with all the remote DC's showing connected (Device / User Identification / User Mapping Tab / Server Monitoring). Each remote firewall under (Device / User Identification / User-Id Agents tab) has a mapping to the internal firewall. What I am looking for clarification on is whether I need to create the ignore user list on the internal firewall or each individual firewall. I would assume it would be the internal firewall but not 100 percent sure on this. Any help would be appreciated.

Re: User-Id Mapping / Ignore user list

BPry — Wed, 03 Feb 2021 04:18:41 GMT

@RobertNagy,

You would just need this on your internal firewall if you have your remote DCs setup through redistribution. You might want to think through all the ramifications of just blanket ignoring these accounts on the firewall however. You won't have these accounts to use in your rulebase or your logs anymore at all, so if they are being used in your rulebase at all to limit/allow traffic in other rules you'll have to take another look at that.

Re: User-Id Mapping / Ignore user list

reaper — Wed, 03 Feb 2021 09:40:25 GMT

instead of adding the users to the ignore list, you could add the GlobalProtect IP Pool to the exclude list in the userID agent

this will preserve GP user mapping at all time