We recently installed two 3020s in active-passive and connected them to our LDAP. We see some users are mapping, but not all.
Is there a way for unknown users to authenticate to the Palo Alto so they are given the correct policy? This was a very simple procedure in our previous Lightspeed filter.
A local user agent would be ideal!
You should use GlobalProtect client (installed on workstations) to ID users on your network. You should look for documents talking about Global Protect and internal gateways.
are the userID agents connected to every DC or do you only have one? It could be possible that some user are authenticated on a DC which is not monitored from your userID agents. If the users are not mapped and userID is activated for the zone the agents will try to resolve the user with WMI requests. If this doesn't work you can activate captive portal so every connection with an unkown user will have to authenticate through captive portal.
If you want to use the Gobal Protect Client it's free if you only use one portal and external gateway.
You won't need a licence for your use. Global PRotect client is best way when you are running Macs on your network.
PAN can help you configure these through Professional Services consulting
If you don't want to install Global Protect, you could configure captive portal to kick in for unknown users.
Overview and procedure:
Minor updates in PAN-OS 5:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!