Confused About User-ID and User Mapping

L2 Linker

Confused About User-ID and User Mapping

Regarding the User-ID Agent (Active Directory) feature of the firewall, I’m confused as to the difference and need for either the User Mapping and/or User-ID Agent. Is the User Mapping feature replacing the User-ID agent?

The units we have were setup prior to my employment as we 6 office locations and two data centers each data center with a 3050 unit which have 11 MS AD monitors (an AD server or two at each site and in the data centers), 3 Exchange monitors, and 1 User-ID agent. All Internet traffic from the office locations will go thru a 3050 unit at either data center using our MPLS infrastructure.


I’ve read the User-ID best practices etc… but still confused as to what is needed and how each works.

Appreciate any help and insight.


Passionate about network infrastructure and all things Palo Alto Networks.
L7 Applicator

Re: Confused About User-ID and User Mapping

Hello Jeff,

the user-id feature is used to identify the user in the session. It can also be used to write policies around an AD user or group. For example, you want to allow finance useres to access finance servers but no other users to access them. You can have the users in an AD group and write a policy and put that AD group into the 'Source User' field. I have used this in the past to seperate web-browsing as well as zoning off servers only accessible by certian AD users or groups.


I hope that helps clarify things instead of making them more convoluted.



L4 Transporter

Re: Confused About User-ID and User Mapping

Hi Jeff,


the User-ID-Agent is collecting infos of the AD-log ( successful logon events - User-ID and IP ) and push these info to the Firewall. You can see the mapping with: show user ip-user-mapping ip x.x.x.x

Instead of using USER-ID-Agent running on AD-Server you can configure this function on firewall as well (called agentless)




L5 Sessionator

Re: Confused About User-ID and User Mapping

User Mapping is a process which associates IP addresses with usernames. User mapping can get that info from many differnt sources:

- from AD with User-ID agent installed somewhere,

- from AD without any agent (PA itself sends quereis to AD)

- from GlobalProtect, 

- from Captive portals.

- from syslog listeners, 

- from exhange servers, 





Neither of these techniques is becoming obsolete.



L1 Bithead

Re: Confused About User-ID and User Mapping

as you said, i can put a AD group on to a policy to control this group. what if just wanna allow/deny one user?

manaully fill this username into 'source user' blank? is it correct?




Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!