Agentless USER-ID - rules

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Agentless USER-ID - rules

L2 Linker

Good Day


I'm testing user-id in policy-rules and its not working the way I thought it would.


Example Rule

src zone/ip - Zone A/any

dst zone/ip - Zone B/any

user - gdc\test.user

application - any

service - application-default

action - allow


I start a ping to a server/workstation from Zone A to Zone B and I get request timeout, but if I remove the user the ping works.


This is not how I thought it would work, I thought if I'm pinging from a workstation logged in as test.user that in the rule if I added the user it would ping throw, but it isn't.


Can you tell me why this is happening?




Accepted Solutions

Thanks Reaper, worked like a charm....very cool

View solution in original post


L6 Presenter

have you validated that the firewall has a mapping of the IP to User?


Do you see a deny log showing the ICMP request with the source user the traffic is being generated from?

Yes it connects to the AD brings back the userid mappings, and yes it is dropping the ICMP ping, but as I mentioned if I delete the user the ping works.


When you are lookigng at the logs, Click the maginifying glass on the far left and see if its picking up the username.



When you say "it brings back the user id mappings."  Does it actually provide the IP to User ID mapping for the source user in question?


In the deny log, does the denied ICMP request show the source user ID that you're expecting?


You should see something like this:


ME@FIREWALLNAME(active)> show user ip-user-mapping(mp) ip (USER IP 1.1.11)

IP address: (USER IP (vsys1)
User: (USER ID)
From: UIA
Idle Timeout: 3371s
Max. TTL: 3371s
Groups that the user belongs to (used in policy)

Yes I get the correct user mapping. The rule is jump and go to the deny all rule a the bottom of the rules set... which is wierd, but if I set the User tab to "known-user" it works..... but not if I choose select and put in the group.

@burtond some screen shots might be helpful for us...Rule/Logs


Also if you're using a "group" in the rule do you have that group in the "Group Mapping?" In the user identifcation in the "Group Include List?"

Yes, I've even removed the User Identification setting commited and configured it again and still the same issue





User Mappings

User Mappings.png




All the groups

All Groups.png

Group Domain Users

Group Domain Users.png

Rule that works

Rule that works.png

Ping to Zone B

Ping to Zone B.png

Ping Allowed

Ping Allowed.png


Rule that doesn't work

Rule that doesn't work.png

Ping to Zone B 2

Ping to Zone B 2.png

Ping dropped

Ping dropped.png







In your group mapping, the users are mapped as '\user' while in the user mapping, the user is 'zonea\user'

This means the mapping information from the group is set to the FQDN while the uidagent collects the netbios domain

this causes a mismatch when your security policy is set to a group



you can resolve this issue by setting the group mapping user domain to the netbios version:




once this is committed, refresh your group mapping

> debug user-id reset group-mapping all
> debug user-id refresh group-mapping all

afterward your users should start showing up in the group listing as zonea\user1 zonea\user2 etc



hope this helps


Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy

I'm running PAN-VM version 6.17 so the Group Mapping - Server Profile tab looks like this


Group Mappings.png



I found it, it is under the Server Profile - LDAP, thanks

Thanks Reaper, worked like a charm....very cool

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!