GlobalProtect ip-user-mapping issue

Showing results for 
Search instead for 
Did you mean: 

GlobalProtect ip-user-mapping issue

L2 Linker


PAN-OS 5.0.2

Hello, we've deployed GlobalProtect with local user authentication (authentication profile = local database), user identification is enabled both on trust and vpnclient zones.

Also, user mapping is enabled with UID Agent directly from the firewall.

Everything's working fine with vpn authentication, once connected the client shows up as the LOCAL user as expected:

IP address: (vsys1)  <<<<<<<<<<<<< assigned ip address range is

User:        abcde         <<<<<<<<<<<<<<<<<< this is in the local user database

From:        GP

Idle Timeout: 2591965s

Max. TTL:    2591965s

Groups that the user belongs to (used in policy)

When the vpn client starts to generate traffic to/from internal lan accessing active directory resources (i.e. remote desktop or network shares) it has to authenticate towards Active Directory with domain credentials.

This obviously also generates security logs on the DCs, which are read by onboard UID agents causing ip-user-mapping to change from LOCAL user to AD user for the same ip address:

IP address: (vsys1)

User:        testdomain\testuser   <<<<<<<<<<<<<<<<< this is the AD account used to authenticate when accessing internal lan resources

From:        AD

Idle Timeout: 2699s

Max. TTL:    2696s

Groups that the user belongs to (used in policy)

Group(s):    cn=vpn_users-all,ou=vpn,dc=testdomain,dc=local

This is causing issues since security policies for vpn clients are setup with LOCAL users and not AD users, as obviuos.

I'm aware that using AD authentication for GlobalProtect would be advisable, but now we have to keep on with local user authentication.

Haw can we prevent AD user-ip-mapping from overwriting the initial (correct) GlobalProtect mapping for vpn client network range

ps: I've tried the Include/Exclude Network option in Use Mapping section by entering the exclusion for, but with no success.

Thank You


L4 Transporter

Maybe you could use the CLI command set user-id-collector include-exclude-network in order to exclude GP IP Pool from AD IP usermapping ?



L6 Presenter

I have done a quick test on 5.0.1 on my PA and I do see the same behavior. I have excluded the network as shown below in the running configuration from the CLIScreen Shot 2013-02-22 at 9.54.41 AM.png

But User-IP-Mappings for the IP of the GP client are still mapped if I access an AD inside my network as shown below

Screen Shot 2013-02-22 at 9.55.12 AM.png

This is not working a expected. I would suggest you to open a ticket with support for further help.


Sandeep T


did you managed with this?

we are having almost the same issues.

what have you done?


Hi minov

This topis is near one year old. What version of PAN do you have installed?

Please upgarde to 5.0.9, I'm on 5.0.9 and I haven't such problems.



5.0.9 i have a user authenticate through Radius, and then RDP to a server and some shares then the user-ip-mapping changes to the AD user which have different policy

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!