Filtering by a Azure AD user does not work in Gateway-->Agent-->Client Settings

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Filtering by a Azure AD user does not work in Gateway-->Agent-->Client Settings

L1 Bithead


we currently have global protect integrated with Azure MFA using SAML and it works flawless.


Now, we would like to offer a different IP Pool depending on the user account. when I check in the MONITOR for connections using that VPN gateway, I see the different corporate email addresses in the SOURCE USER column. this email address is the one used to make the authentication via Azure MFA.


At this point, my approach was to create a new Agent-->client setting in the gateway portal . In the 'Config Selection Criteria' I included my corporate email addreass as SOURCE USER. No errors were shown so I clicked OK and commit. I also included a different IP pool range to filter conenctions later on with dedicated policies.


Surprisingly, afte the change was applied and I reconnect, I still get an IP address from the old IP pool, the one with 'any' on its client settings. it seems like my user name did not match for some reason. (see attachement)

we have a PA-850 running version 10.1.3




Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.

L1 Bithead

According to the official documentation the source user in the client setting tab must be configured via User Identification.

In our case we only have the internal Active Directory and checking its settings I saw an option that called my attention, Alternate Username 1.

I wonder if I put "mail" in that field, it might be used in the filtering as a username. (see attachment)

Does anyone used that before for a similar purpose?



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!