@BPrythanks for the reply. We were running into an issue where the User IDs were timing out and we'd start to see inconsistent logging... some logs would have the UserID, some wouldn't, then some would again. Obviously this would make UserID security based policy very difficult. Our wireless and ResNet areas (basically all BYOD) use SafeConnect for NAC and we're already using their implementation to update Palo Alto UserID (they recommend an API user account be created for SafeConnect to use). We had to change the default timeout here because users on these networks only have to log in devices once every 120 days right now. Since they are BYOD, these devices don't usually change users. The remainder of our network is academic and office spaces. For academic areas, lab computers and teacher workstations are logged in and out for class periods. Assuming a logoff event triggers a UserID clear event through the user agent connected to the AD controllers, UserID should be fairly up-to-date here. If not, the next user logging in should update it. For the office areas, I believe we had a lot of people leaving their computers logged in and just locked when they weren't around (I'm included here). I don't believe an unlock generates an AD security event so UserID here was eventually expiring on the Palo Alto and not populating.
... View more