This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GlobalProtect user mapping not working

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect user mapping not working

santonic
L6 Presenter

‎01-18-2013 06:43 AM

Hello.

We're having problems with user mapping for GlobalProtect users.

In this case there are 2 users connected to PA device, yet mapping isn't working for either of them: (IPs and names deleted from output)

astec@fw1(active)> show global-protect-gateway current-user

GlobalProtect Gateway: vpn.xyz.si (2 users)

Tunnel Name          : vpn.xyz.si-N

        Domain-User Name          : :user1

        Computer                  :

        Client                    : Microsoft Windows 7 Professional, 32-bit

        Private IP                :

        Public IP                 :

        ESP                       : exist

        SSL                       : none

        Login Time                : Jan.18 14:16:52

        Logout/Expiration         : Jan.19 14:16:52

        TTL                       : 82156

        Inactivity TTL            : 2956

        Domain-User Name          : :user2

        Computer                  :

        Client                    : Microsoft Windows 7 Enterprise Edition Service Pack 1, 32-bit

        Private IP                :

        Public IP                 :

        ESP                       : exist

        SSL                       : none

        Login Time                : Jan.18 14:32:23

        Logout/Expiration         : Jan.19 14:32:23

        TTL                       : 83088

        Inactivity TTL            : 3949

astec@fw1(active)>

astec@fw1(active)> show user ip-user-mapping all type GP

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

Total: 0 users

astec@fw1(active)>

We have "Enable User Identification" enabled on both security zones: the one from where GP connections are originating (internet) and the one which is used for GP tunnel (vpn-clients).

Pan-OS version is 5.0.1, we're also using (agent-less) AD user mapping which is working fine.

On the above output I notice that tunnel name is vpn.xyz.si-N while we're using tunnel interface tunnel.1 in our configuration. I can't find vpn.xyz.si-N tunnel listed under tunnel interfaces so I don't think it's associated with any security zone.

Can you please help us resolving this issue? Can you provide some info where did this new tunnel vpn.xyz.si-N come from?

Thanx!

Best regards,

Simon

0 Likes Likes
1 REPLY 1

sjamaluddin
L4 Transporter

‎01-29-2013 03:33 PM

Where you configured your GP Gateway, look there and the name for the GP Gateway is probably vpn.xyz.si-N

In the lab here we have the following output

admin@PA-200> show global-protect-gateway current-user

GlobalProtect Gateway: GP_2connect (0 users)

Tunnel Name          : GP_2connect

notice the Tunnel Name comes from what I've called the Gateway: Tab>>Network>>Global Protect Gateway as shown below:

GP.PNG

  • 2939 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks