We have a problem with a user to IP mapping. Doesn't matter which version of PanOS - 7 or 8, doesn't matter if it's using windows agent or direct access from paloalto to LDAP servers.
Let's say a user is going to some server, windows exchange for example, and this server authenticates the user by LDAP. Then windows agent will have exchange's IP address mapped to the user name.
For now, I have resolved this problem by excluding servers subnets in windows agent configuration. But not sure, may be there is a better way.
I'm not really seeing the issue. The way that user-id works is the user that is logged into the server, or the last to log in within the age-out, is the user mapped to that IP. So if you have someone log into your exchange server traffic do something really quick and then log out, they'll maintain the user-id mapping until another account logs a security event or the User ID timeout has been hit (if enabled).
If you don't want this action to take place then you would do exactly as you describe here, you exlude the IPs from user identification.
may be I didn't explain the problem clear.
So, for example, the user logged in to the PC - after that paloalto had the correct IP address. After that user opened any site in web browser, that used LDAP authentication. Then paloalto has IP address of the server, where that site was hosted, as an IP address mapped to the user. So if security rule allows access by user-id, it will not match IP address of the user's PC.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!