Does GlobalProtect refresh USER-ID bindings mid session?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Does GlobalProtect refresh USER-ID bindings mid session?

L0 Member

The GlobalProtect section of the Admin guide for PAN-OS 8 says the following:

For mobile or roaming users, the GlobalProtect client provides the user mapping information to the firewall directly. In this case, every GlobalProtect user has an agent or app running on the client that requires the user to enter login credentials for VPN access to the firewall. This login information is then added to the User-ID user mapping table on the firewall for visibility and user-based security policy enforcement. Because GlobalProtect users must authenticate to gain access to the network, the IP address-to-username mapping is explicitly known.

 

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/user-id/user-id-concepts/user-mapping/glob...

 

The USER-ID binding cache is set to expire every 45 minutes. Assuming that client probing is not in use but the Palo Alto GlobalProtect client is being used as a remote access VPN. When a user logs in the timer resets. Will the GlobalProtect agent update the USER-ID cache proactively on the firewall or at regular intervals to prevent the USER-ID binding being lost or will the cache simply be cleared after 45 minutes provided no other login events are detected?

 

3 REPLIES 3

L7 Applicator

It should be just as you wrote. 

The User-ID times out after 45 minutes of inactivity, that is, there is no  action by that user/IP, and it will drop off the list until there is more activity by that user/IP.  As soon as they are active again, then the User-ID information will be re-populated again.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWjCAK

 

This article suggests that even if active the USER-ID will revert to an Unknown state when the timer expires. I am looking to know when the GlobalProect client updates the USER-ID Cache. If it only does it at login then the user will experience possible issues until they re-log in to the VPN.

 

What I'm asking is when does the GlobalProtect client refresh the USER-ID binding.

L1 Bithead

 

This is the true answer but a chunk of it so go to the link that I posted under this clarification:

 

The following is an example of a scenario when a user may become "Unknown" to the Palo Alto Networks firewall:

  • A user logs in at Time0 (T0), the User-ID Agent sees the login in the AD security log and maps the IP to the user. The entry is sent to the firewall and it also creates an entry with the same lifetime (MaxTimeout) as the UIDAgent
  • 30 minutes later (T0 + 30), the user sends data through the firewall. User is still identified.
  • 14 minutes later (T0 + 44), the user sends more data. The user still has an active mapping.
  • 2 minutes later (T1 = T0 + 46), the mapping on the agent ages out, and the removal is communicated to the firewall. Mapping is deleted on the firewall.
  • 58 minutes later (T1 + 58), the user sends more data. The cache on the firewall was expired, so it requests an IP mapping from the agent but receives "Unknown" user

Note: This user will remain "Unknown" until  :

    • the user logs back into the domain
    • a positive security audit log is picked up by the UIDAgent
    • a wmi/netbios probe positively identifies the user    

Note: If WMI probing is not used, then increase the user identification timeout to 600 minutes (either on the firewall or User ID Agent)

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWjCAK

  • 5159 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!