Hi All, Thanks for feedbacks, quickly descrip my question below. 1.Use AD LDAP for sslvpn authentication 2.User-ID group-mapping is also use for after sslvpn login security policy control 3.The group-mapping -> Include group is also add groups into that would like to authenticated. 4.Two accounts in the AD who are "test_user" and "test.user". In the beginning test_user can login sslvpn by global protect agent, and can hit correct security policy. for testing, we change user to "test.user" and do the test again, we find the user "test.user" can login sslvpn successfully, but the traffic logs we see, the user column is display "test_user" not "test.user". We also check system logs, test.user is always try to login but authenticated fail. after several times, the system logs show user "test_user" login successfully. After investigation, the user "test.user" is not in group-mapping include groups, so system logs display auth-fail, but it seems the GP agent brought account "test_user" to authenticae with PaloAlto firewall automatically, and auth-success. So, we would like to know that is the global protect agent default behavior? or not? In addition, we change another laptop and to the same again, but issue not occured. My laptop runs windows 7 x86 and GP client's version is 1.1.7. Regards,
... View more