Does GlobalProtect refresh USER-ID bindings mid session?

Reply
Highlighted
L0 Member

Does GlobalProtect refresh USER-ID bindings mid session?

The GlobalProtect section of the Admin guide for PAN-OS 8 says the following:

For mobile or roaming users, the GlobalProtect client provides the user mapping information to the firewall directly. In this case, every GlobalProtect user has an agent or app running on the client that requires the user to enter login credentials for VPN access to the firewall. This login information is then added to the User-ID user mapping table on the firewall for visibility and user-based security policy enforcement. Because GlobalProtect users must authenticate to gain access to the network, the IP address-to-username mapping is explicitly known.

 

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/user-id/user-id-concepts/user-mapping/glob...

 

The USER-ID binding cache is set to expire every 45 minutes. Assuming that client probing is not in use but the Palo Alto GlobalProtect client is being used as a remote access VPN. When a user logs in the timer resets. Will the GlobalProtect agent update the USER-ID cache proactively on the firewall or at regular intervals to prevent the USER-ID binding being lost or will the cache simply be cleared after 45 minutes provided no other login events are detected?

 

Highlighted
Community Team Member

It should be just as you wrote. 

The User-ID times out after 45 minutes of inactivity, that is, there is no  action by that user/IP, and it will drop off the list until there is more activity by that user/IP.  As soon as they are active again, then the User-ID information will be re-populated again.

Stay Secure,
Joe
End of line
Highlighted
L0 Member

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWjCAK

 

This article suggests that even if active the USER-ID will revert to an Unknown state when the timer expires. I am looking to know when the GlobalProect client updates the USER-ID Cache. If it only does it at login then the user will experience possible issues until they re-log in to the VPN.

 

What I'm asking is when does the GlobalProtect client refresh the USER-ID binding.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!