- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-12-2026 04:18 AM
Hi All,
We have a PA-1410 at DC (with GlobalProtect) and PA-440/410 at branches.
Microsoft Intune enrolled devices users authenticate via SAML-Azure AD, non-Intune users via LDAP on-prem AD. User-ID is learned on the DC firewall and redistributed to branches using existing redistribution profiles.
Working fine for:
Non-Intune internal/external network users
Intune users from external network (via GP)
Intune users on internal network at DC
Issue:
Intune users on internal network at branch sites do not get User-ID mapping or it is intermittent.
In all cases, DC firewall is learning and redistributing the mappings.
Same design works at DC but not consistently at branches only for Intune internal users.
Has anyone seen this before?
Any pointers or real-world fixes would be really appreciated.
02-15-2026 09:53 PM
When Intune users are at a branch, their traffic hits the local PA-440/410, but because they authenticate via SAML (Azure AD) rather than local AD, there are no security logs for a local User-ID agent to scrape. If the DC firewall is redistributing mappings based on a GlobalProtect inner-tunnel IP or a specific DC-centric subnet, those mappings won't match the local branch LAN IP of the device.
To fix this, ensure your Redistribution Filter includes the branch IP subnets and verify that the branch firewalls are configured as Log Receivers or have the DC firewall added as a User-ID Agent. Additionally, since Intune devices often use randomized MAC addresses or transition between Wi-Fi/Wired interfaces, consider deploying the Palo Alto GlobalProtect app in "Internal Gateway" mode; this forces the client to report its current internal IP directly to the firewall, bypassing the need for unpredictable log scraping or redistribution lag.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!

