GP users are getting denied random times

GeorgiosFakis · ‎11-27-2019

I have global protect v5.0.5 deployed to all Corporate Windows and some users reported that when they work everything stop to work and suddenly after 5-10 minutes is back again without disconnecting them from the global protect .This happen random times and not always .I have a user though that he reports that every day for the last week .

Palo Alto version is 8.1.11 VM-300 and GP agent 5.0.5 on a Windows 10.

I can see from the logs user is working fine in one server , then traffic getting blocked and can see only traffic log but not threat etc.

I am allowing based on the IP and the Zone and destination is any app any service .

HIP looks fine and agent is sending the report every hour .

Today this happened to a user connected 7 am and stopped working around 10am for 5 minutes .In the logs I can see HIP reports were send before and after the incident and user-id was reported that was learned from the AD .

I can see from the logs if that is helping that user is not written and after working is written . Is that related to USER-ID where I need to exclude the IP pools from the GP on the USER-ID ?

GeorgiosFakis · ‎12-07-2019

Palo Alto engineer and myself we were looking the logs .

User connected in the morning , opened a UDP session with significant amount of data transimtted and recevied .Was allowed by an ACL in line 35 let's say and after 3 hours Deny ALL acl was matching in line 50 .

We see that HIP report was sent and there flags 0x63 & 0x61 on the allowed and deny from the log .We suspect that is related to HIP report .We see that was sent every hour and HIP log is matching the HIP profile every hour .Question is why traffic that elapsed time was 3 hours is mathcing after that time DENY ALL ACL.

MP18 · ‎12-07-2019

Thanks for updating on this.

MP

GeorgiosFakis · ‎02-26-2020

Forgot to update

We fixed that with disabling the timeout of the user-id but we also upgrade the agents to 5.0.8.

ksauer507 · ‎02-21-2022

I know this is an old thread but I'm experiencing the same issue, 3220 fw's with 10.0.8-h8 and GP 5.2.10-6 on Windows 11. First I thought it was an expiring cookie, but your right its right after the hip check. Strange I see exactly the same thing.

So when you say you disabled the timeout of user-id, do you mean you unchecked Enable User Identification Timeout in the cache section in Device > User Identification?

GeorgiosFakis · ‎02-22-2022

Hi ,

Yes that it is but keep in mind your logging will not be correct because the IP mapping will stay in the firewall for a long time.

This will might cause issues in your logs for other USER-ID for IP mapping for other zones like server zones where username will stay there.

For example , if you have a server let's say that is doing some service and has a service account and you RDP , the logs and the IP mapping will have for everything your username unless someone else RDP the server.

GP users are getting denied random times

GP users are getting denied random times

Show your appreciation!