About TomYoung

Hi @djohnson229 ,   I believe the MAC address is the common parameter on the local AD DC that is used to link the username in the authentication logs with the IP address in the DHCP logs.  How does the User-ID agent know which username goes with which IP address?  I can't think of anything else.   Thanks,   Tom ... View more

Hi @Martin_Chung ,   You cannot create a new vsys from Panorama.  It needs to be created on the NGFW.  Edit:  I got this from an old document!  You can create a vsys on Panorama!  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLsWCAW   Template settings have a vsys option.   The vsys should show up as a separate device for device groups.  I am not sure if it will populate automatically in the list when you create it.  That allows you to push a separate set of rules to the new vsys.   Please create the new vsys locally and let me know if you can see it in the list of devices under Panorama > Device Groups.   Thanks,   Tom ... View more

Hi @djohnson229 ,   I totally understand your side of the story.  It is not as seamless.   I can take a guess at the PANW side:   Azure AD has no MAC address to link the user to the IP address which exists with a local AD DC. Why didn't they build CIE into the NGFW?  I would assume they looked at this 1st but decided to move it to the cloud for some reason. At least they have a solution for Azure AD User-ID.  Maybe it will get better.   Thanks,   Tom ... View more

Hi @TonyDeHart ,   The Policy Optimizer identifies traffic on non-standard ports.  Notice the "warning" icon.     However, if there is a mix of standard and non-standard, it does not show.  That is one of the reasons you create a L7 application-default cloned rule above your L4 rule and add the applications to it.  Then, the non-standard applications will hit the L4 rule and you should have the warning symbol in the Policy Optimizer.  You should clear the apps seen in the L4 rule after you add apps to the L7 rule.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/security-policy-rule-optimization/policy-optimizer-concepts/clear-application-usage-data   You could also use the Log Viewer for a rule (drop down next to name) and view traffic that matches the rule.  You can select the application and destination port and change the port.dst to neq.   Thanks,   Tom ... View more

Hi @krzysztof.kubiak ,   RSTP ports still can be in a blocking state.   You may need to have someone on site to troubleshoot.  It is most likely a L2 problem.   Thanks,   Tom ... View more

Hi @djohnson229 ,   That is a great question.  I have wondered the same thing myself.  This docs walk through a process where CIE combined with the Authentication Portal can get User-to-IP mappings -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/identity-features/cloud-identity-engine.   The Authentication Portal would be best if it can be setup to authenticate in the background rather than have the user type their credentials in, but that would require the same creds on the PC and Azure AD.  You could also use certificates.   There are other ways to get User-to-IP mappings depending on what you have in place.   Use GlobalProtect with internal host detection to require login but not tunnel to a gateway.  (I have not tested this method.) Retrieve mappings from 802.1x configure on wireless and/or wired. Thanks,   Tom ... View more

Hi @TonyDeHart ,   Good to know that the NGFW may not proxy ARP for the IP if the interface is not specified in the NAT statement.  Please mark your last post as the solution in case someone else has the same issue and is looking for a fix!   Thanks,   Tom ... View more

Hi @krzysztof.kubiak ,   I have PA-450s on 10.1.9-h3, and I do not have this problem.  Failover is immediate.  For this issue, you need to look at the switches.   Are the ports connected to the passive NGFW up on both switches? What STP state are they in? Perform a failover and watch the ports transition.  Also check how fast the MAC addresses switch to the new ports. Does your HA widget in the Dashboard show all HA links are green? A minute outage sounds like an STP convergence issue.   Thanks,   Tom ... View more

Hi @Sanjay_Ramaiah ,   If you change the Primary Username to userPrincipalName, then it will list the group members in UPN format.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CpgcCAC&lang=en_US%E2%80%A9  The users in the group will match your SAML format.   Maybe you cannot do that because you have other User-ID sources currently working with group mapping.  If this is the case, you are on the right track to get your usernames standardized in the right format.   Thanks,   Tom ... View more

Hi @TonyDeHart ,   Just curious, where did you fill in the domain for the GP gateway?   Also, how many User-ID sources do you have?   Thanks,   Tom ... View more

Hi @TonyDeHart ,   That could be it!  Try changing domainname.com to domainname for one source and see if that works.   Yes, the domain name can be left blank for most configurations, e.g. group mapping, authentication profiles, etc.  You generally configure it as an override.   Thanks,   Tom ... View more

Hi @TonyDeHart ,   The different domain names usually come from different User-ID sources.  Do you have multiple sources for User-ID?  If so, under Monitor > User-ID is the naming convention consistent with each source?   If you have only 1 User-ID source, we can look into that also.   Thanks,   Tom ... View more