GP client connected to internal GW - no user attached to IP address

Reply
L2 Linker

GP client connected to internal GW - no user attached to IP address

Hello all,

I was thinking that when a client is connected via GP to an internal Gateway, the user is mapped to the IP address of the client. In my case, that is not working. The zone in which the client resides has user-ID enabled, but still the traffic is not stamped with the user-ID.

Can someone help me troubleshooting?

Regards,

Stephan van der Plas

L5 Sessionator

Hello Stephan van der Plas,

Under Global Protect Gateway > Client Configuration > Tunnel settings, have you selected Tunnel Mode> Tunnel Interface ? If yes, then User-ID should also be enabled on the zone where that the tunnel interface lies.

Also, is your user-ip mapping working for other zones? This is just to make sure that user-id itself is configured correctly.

Thanks and regards,
Kunal Adak

L4 Transporter

Hello Stephan van der Plas,


You can also look under zones to check "Enable User identification" for the zones to populate the usernames for the GP zone.


Thanks

L5 Sessionator

Please verify the following

User identification is enabled on the GP zone

Capture.PNG.png

Verify GP is getting the user name

GlobalProtect Gateway: GP_ext (0 users)

Tunnel Name          : GP_ext-N

GlobalProtect Gateway: GP_gateway (1 users)

Tunnel Name          : GP_gateway

Domain-User Name : test1

        Computer                  : XXXXXXX

        Client                    :

        Private IP                : 0.0.0.0

        Public IP                 : 192.168.0.8

        ESP                       : none

        SSL                       : none

        Login Time                : Nov.24 18:21:12

        Logout/Expiration         : Dec.24 18:21:12

        TTL                       : 2529338

        Inactivity TTL            : 7776


If the above is present then verify if the mapping is showing.


admin@Numan-FW> show user ip-user-mapping ip 192.168.0.8

IP address:  192.168.0.8 (vsys1)

User:       test1

From:        GP

Idle Timeout: 7612s

Max. TTL:    7612s

Groups that the user belongs to (used in policy)

.

If any one this does not show up then there is something missing or not correct. You might have to open a case with support to verify the issue.

Regards,

Numan

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!