Hello, It's not the first time that I am facing this kind of issue : Context : PaloAlto FW with (multiple) userID agents in a single (or multiple) Microsoft domain and user id based security policies. The User ID feature seems at a glance to be working well, however sometimes UserID seems to "loose focus" on several source IP addresses (users). For example, at instant t : IP x.x.x.x is identified with user A. Suddently, at instant t + delta t (random) : IP x.x.x.x is no more identified (no more source user). Again after delta t (random) : IP x.x.x.x is identified with the same (or sometimes another) user A You can see an occurence in the extracted logs below. We can see IP 10.35.111.103 is identified with source user domain\johnd, then suddently the IP has no more user during around 30 minutes (and appropriate rule is obviously no more matched). And then the IP is associated back with the correct user. I have seen this behaviour many times with a end customer impact range from "no matter, that seems to be working fine" to "it doesn't work! fix it!", obviously depending of the security policies configuration. In this particular example, we are running PanOS 7.1.7 on PA-5050 cluster, with UserID agents release 7.0.4.5 Have you ever been facing such issue ? Regards, Laurent
... View more