we have configured rules with group mapping using LDAP.
We have one user where he switch between user ids and when he trieds to login to server with user id not allowed in list he gets
should he log off and log on as best practice when he switch between user ids?
Solved! Go to Solution.
Does this user normally works with his default user but needs to use another one for task that require administrative privileges and the user-ids are switching between these two? Or uses scripts that run as another user, maybe a service account?
works fine with default user account but user need to access some apps for that he has to login to those apps with different user id.
And thats what causes the problem.
Domain is same for both the default user account and other apps.
Try to add user to run apps with into ignore list.
So your scenario, if I understand it, is that you have a user using "switch user" in Windows to switch between sessions? And after he switches to a new session, he can no longer access what he wants to on the network, because the user account that he switched to doesn't meet your rule User-ID criteria?
That sort of sounds like it is working as intended, or else you need to add the account that he's switching to into the rule User-ID criteria. Adding the user account that he's switching to into the user-ignore-list.txt would prevent that account from being "learned" by the Palo Alto - ever. Not just on this machine...any time that account is used, it will not be learned by your firewall.
In the background, the user-ID agent is monitoring the authentication logs from your domain controllers. When the user switches, a successful authentication event is recorded on your DCs. The User-ID agent sees that log entry, notes the IP address and the user account, and then updates the firewall with the second user in the IP-to-User-mappings. This is now how your firewall will evaluate that IP address - with the new user account. Switching back to your original user should over-write that entry, because another authentication event takes place. And this is why adding the user to the ignore list will work - your authentication event for your second account will never get recorded by the user-id agent/updated in the IP-to-User-mappings in the firewall.
One other option is to deploy a global protect agent to authenticate to an internal (no tunnel) gateway on your firewalls, just to learn the user ID's.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!