GlobalProtect Usernames With Local Authentication Overwritten by IP-user-mapping

GlobalProtect Usernames With Local Authentication Overwritten by IP-user-mapping

17790
Created On 09/26/18 13:51 PM - Last Modified 06/06/23 19:26 PM


Resolution


Issue

When a user connects into the Palo Alto Networks firewall via GlobalProtect (GP) using the local user database, the user is correctly identified as a GP user. Next, when the same user accesses domain resources, the user-ip-mapping is modified and shows the user as an AD user in the form "domain/username". As a consequence, specific security rules that apply to GP users will not be enforced.

 

Cause

The local database does not use domain information, so the GP user appears as just the username. However, after the GP user is mapped to the ip-user-table, an update may arrive from the userID process and the user ip-user mapping is modified to reflect the domain/username paradigm. This is the expected behavior of PAN-OS.

 

In order to ensure that the security policies are correctly applied to GlobalProtect users, perform one of the following tasks below:

  • Add the AD version of the users to the policies implemented for the GP users where needed.
  • Change the GlobalProtect authentication from local to a remote one, such as, LDAP Radius.

 

owner: sberti
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClvvCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language