GP users are getting denied random times

Showing results for 
Show  only  | Search instead for 
Did you mean: 

GP users are getting denied random times

L3 Networker

I have global protect v5.0.5 deployed to all Corporate Windows and some users reported that when they work everything stop to work and suddenly after 5-10 minutes is back again without disconnecting them from the global protect .This happen random times and not always .I have a user though that he reports that every day for the last week .


Palo Alto version is 8.1.11 VM-300 and GP agent 5.0.5 on a Windows 10.


I can see from the logs user is working fine in one server , then traffic getting blocked and can see only traffic log but not threat etc. 


I am allowing based on the IP and the Zone and destination is any app any service .

HIP looks fine and agent is sending the report every hour .


Today this happened to a user connected 7 am and stopped working around 10am for 5 minutes .In the logs I can see HIP reports were send before and after the incident and user-id was reported that was learned from the AD .


I can see from the logs if that is helping that user is not written and after working is written . Is that related to USER-ID where I need to exclude the IP pools from the GP on the USER-ID ?


Palo Alto engineer and myself we were looking the logs .


User connected in the morning , opened a UDP session with significant amount of data transimtted and recevied .Was allowed by an ACL in line 35 let's say and after 3 hours Deny ALL acl was matching in line 50 .


We see that HIP report was sent and there flags 0x63 & 0x61 on the allowed and deny from the log .We suspect that is related to HIP report .We see that was sent every hour and HIP log is matching the HIP profile every hour .Question is why traffic that elapsed time was 3 hours is mathcing after that time DENY ALL ACL. 



Thanks for updating on this.


Forgot to update 


We fixed that with disabling the timeout of the user-id but we also upgrade the agents to 5.0.8.

I know this is an old thread but I'm experiencing the same issue, 3220 fw's with 10.0.8-h8 and GP 5.2.10-6 on Windows 11.  First I thought it was an expiring cookie, but your right its right after the hip check.  Strange I see exactly the same thing.


So when you say you disabled the timeout of user-id, do you mean you unchecked Enable User Identification Timeout in the cache section in Device > User Identification?






L3 Networker

Hi ,


Yes that it is but keep in mind your logging will not be correct because the IP mapping will stay in the firewall for a long time. 

This will might cause issues in your logs for other USER-ID for IP mapping for other zones like server zones where username will stay there. 


For example , if you have a server let's say that is doing some service and has a service account and you RDP , the logs and the IP mapping will have for everything your username unless someone else RDP the server. 




Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!