04-19-2018 06:19 AM
I have a user group in Active Directory where we place users who should not reach the internet. This user group is then tied to a Palo Alto rule to Deny access.
I've noticed (Windows PC) this week, that if a user who is in the Deny group logs in to a PC, they will be denied (works fine), however, lets say they log out and a person who should have access logs in to the same PC....packets are still hitting the firewall with the previous username, thus they get denied.
I dont believe this might be entirely tied to Palo Alto, I have a feeling it is something in Windows-land, but I just wanted to see if anyone else has ran into this.
One way to get it to work again is to change the VLAN on the user, forcing them to grab a different IP.
