Hi We have just completed an upgrade from PANOS 5.0.3 to 6.0.2. Everything seems OK with the exception of the GlobalProtect agents (and Shrew VPN) not being allowed onto the network. A successful connection is made by GlobalProtect but you can't connect to servers or see the network as everything gets dropped by a policy rule that drops everything coming from the Tunnel. What we do is have several different rules that controls which users can see which servers. As an admin I get to see the entire network. The rules use the 'source user' to decide what you can see. All fairly standard stuff and it was working fine when we ran 5.0.3. However since the upgrade everything gets dropped by the drop rule. To clarify the rules:- 1. Allow DNS traffic to the DNS servers. 2. Allow users A,B and C access to server one. 3. Allow users D,E and F access to server two. 4. Drop all traffic from the Tunnel. When I monitor the traffic logs and filter to just look at stuff coming from the Tunnel zone I've noticed that there is nothing listed under the 'Source User' column (user accounts were listed under 5.0.3). The fact that the packets are dropped by the 'drop everything from the tunnel' rule this tells me that the source user isn't being seen by the policy (otherwise it would have been allowed by a previous rule). There is one rule (the first one) that allows DNS lookups and this rule works but the policy doesn't use Source User in its settings. I've checked that UserID is enabled still on the Tunnel interface and the following command returns the correct data for 'domain' and 'user':- show user ip-user-mapping ip 10.10.100.19 IP address: 10.10.100.19 (vsys1) User: domain\user From: GP Idle Timeout: 10558s Max. TTL: 10558s Groups that the user belongs to (used in policy) When I look at the System logs I can see the GlobalProtect agent connect and it shows the correct user account details. I see UserID's correctly on the LAN interface so UserID is working. Anyone got any thoughts as to why after the upgrade the Source User isn't being seen by the policy? As I said, it was working fine in 5.0.3 and short of doing the upgrade, nothing has changed (I'm going through the config audit to confirm). Any help would be appreciated. Alan
... View more