- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-10-2017 03:39 AM
Hello everybody,
We have a problem with a user to IP mapping. Doesn't matter which version of PanOS - 7 or 8, doesn't matter if it's using windows agent or direct access from paloalto to LDAP servers.
Let's say a user is going to some server, windows exchange for example, and this server authenticates the user by LDAP. Then windows agent will have exchange's IP address mapped to the user name.
For now, I have resolved this problem by excluding servers subnets in windows agent configuration. But not sure, may be there is a better way.
Regards,
Vladimir.
08-10-2017 06:46 AM
I'm not really seeing the issue. The way that user-id works is the user that is logged into the server, or the last to log in within the age-out, is the user mapped to that IP. So if you have someone log into your exchange server traffic do something really quick and then log out, they'll maintain the user-id mapping until another account logs a security event or the User ID timeout has been hit (if enabled).
If you don't want this action to take place then you would do exactly as you describe here, you exlude the IPs from user identification.
08-10-2017 07:52 AM
Hi,
may be I didn't explain the problem clear.
So, for example, the user logged in to the PC - after that paloalto had the correct IP address. After that user opened any site in web browser, that used LDAP authentication. Then paloalto has IP address of the server, where that site was hosted, as an IP address mapped to the user. So if security rule allows access by user-id, it will not match IP address of the user's PC.
03-08-2021 11:23 AM
Hello,
Did you ever find a solution to your problem? I am having the same issue. what did you end up doing to to get the ip user mapping to the user's machine and not the authentication server?
01-18-2022 04:19 AM
Sorry, I have just seen the answer. So, I normally just use user-id exclusion lists for such server for which I don't want to use a user-id from the one side and where can some authentication event happen.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!