User-Id Mapping / Ignore user list

Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-Id Mapping / Ignore user list

L0 Member


I am running into an issue with Global Protect users due to remoting into other machines with other credentials. I have read extensive articles about the issue and understand that the firewall can only map one user name to an IP. That appears to be exactly what is happening., A user logs in and has internal connectivity, then logs into an RDP session. After logout that user has no connectivity due to the mapping being retained to the admin or service account. From what I gather, I need to exclude those accounts from user mapping. My uncertainty is in our setup. Our internal firewall has a server monitoring setup with all the remote DC's showing connected (Device / User Identification / User Mapping Tab / Server Monitoring). Each remote firewall under (Device / User Identification / User-Id Agents tab) has a mapping to the internal firewall. What I am looking for clarification on is whether I need to create the ignore user list on the internal firewall or each individual firewall. I would assume it would be the internal firewall but not 100 percent sure on this. Any help would be appreciated.



Cyber Elite
Cyber Elite


You would just need this on your internal firewall if you have your remote DCs setup through redistribution. You might want to think through all the ramifications of just blanket ignoring these accounts on the firewall however. You won't have these accounts to use in your rulebase or your logs anymore at all, so if they are being used in your rulebase at all to limit/allow traffic in other rules you'll have to take another look at that. 

Cyber Elite
Cyber Elite

instead of adding the users to the ignore list, you could add the GlobalProtect IP Pool to the exclude list in the userID agent


this will preserve GP user mapping at all time

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!