08-03-2025 05:32 AM
Hi Paloalto 11.1, user ID agent configured, it's pulling users with ip.
But using policy to block or allow the internet is not working
It blocks all users; if all domain users are allowed, the internet will be allowed. If a particular group is selected to enable through policy, it is blocked. I can see users in the user ID section and logs.
Please advise
08-03-2025 10:23 AM
User-ID agent is working, but security policies are not. This is a common issue, and the problem is likely in your policy configuration, not the User-ID agent itself.
Primary Fixes to Check:
Policy Order: Your specific "allow group" policy must be placed above any broad "allow all users" policy. The firewall processes policies from top to bottom.
Group Mapping: Even if user-to-IP mapping works, the group membership might not be. Go to Device > User Identification > Group Mapping Settings and confirm the group you're using in your policy is included and syncing correctly.
Source Zone: Ensure the source zone in your policy has "User Identification" enabled.
Commit: Always remember to commit your changes for them to take effect.
It's highly probable the issue is with the policy order, which is the most frequent cause of this behavior.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
