Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Who Me Too'd this topic

User-ID - Active Directory Keeps Sending Domain DNS and NetBIOS DNS

L2 Linker

Hi Community,


Having a headache of an issue lately and I believe it to be an issue on the customer environment rather than a setting configuration on the firewall, or software issue in PAN-OS e.g.


I've little experience with enterprise active directory so I learn as I go.


At the moment, customer has been using the Domain DNS for User Domain settings on Authentication Profiles and Group Mappings.


I plan to change this and make sure to use the NetBIOS in place of the domain DNS for User Domain settings in Authentication Profiles and Group Mapping settings.



PAN-OS 9.0.8

Global Protect 5.1.3

Windows Server: Not Sure


In the customers environment, certain subnets, be it wired or wireless,  the ip-user-mapping are picked up as sometimes or corp/user.


Therefore, an ip-user-mapping of isn't recognized as being part of the AD group corp/webaccess  and security rule is never hit.


Same user will then remove the wired connection, will be picked up on a different ip-address via Wifi but is now seen on the firewall as corp/user, is seen inside AD group corp/webaccess and hits the rule, gaining web access.




Again issue happens when users try to authenticate from home via Global Protect. 


Verifying with command [ > tail follow yes mp-log authd ] users authentication will fail because is not inside AD group globalprotect .... user will try again and again until eventually they are picked up as corp/user.



I've searched almost all of LiveCommunity, Fuel User Group and Support Portal Knowledgebase to see if this has come up before.


Most articles state the requirement of using NetBIOS in place of Domain DNS but nothing stating what steps the customer should do to verify domain mapping and AD is correct.


Please help



Who Me Too'd this topic