This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

User-Id Mapping / Ignore user list

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User-Id Mapping / Ignore user list

RobertNagy
L0 Member

‎02-02-2021 03:49 PM

Hello,

I am running into an issue with Global Protect users due to remoting into other machines with other credentials. I have read extensive articles about the issue and understand that the firewall can only map one user name to an IP. That appears to be exactly what is happening., A user logs in and has internal connectivity, then logs into an RDP session. After logout that user has no connectivity due to the mapping being retained to the admin or service account. From what I gather, I need to exclude those accounts from user mapping. My uncertainty is in our setup. Our internal firewall has a server monitoring setup with all the remote DC's showing connected (Device / User Identification / User Mapping Tab / Server Monitoring). Each remote firewall under (Device / User Identification / User-Id Agents tab) has a mapping to the internal firewall. What I am looking for clarification on is whether I need to create the ignore user list on the internal firewall or each individual firewall. I would assume it would be the internal firewall but not 100 percent sure on this. Any help would be appreciated.

 

1 person had this problem.
0 Likes Likes
2 REPLIES 2

BPry
Cyber Elite
Cyber Elite

‎02-02-2021 08:18 PM

@RobertNagy,

You would just need this on your internal firewall if you have your remote DCs setup through redistribution. You might want to think through all the ramifications of just blanket ignoring these accounts on the firewall however. You won't have these accounts to use in your rulebase or your logs anymore at all, so if they are being used in your rulebase at all to limit/allow traffic in other rules you'll have to take another look at that. 

0 Likes Likes

reaper
Cyber Elite
Cyber Elite

‎02-03-2021 01:40 AM

instead of adding the users to the ignore list, you could add the GlobalProtect IP Pool to the exclude list in the userID agent

 

this will preserve GP user mapping at all time

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes
  • 2900 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks