Tested w. UID Agent 7.0.2, PANOS 7.0.2 VM-100: In the configuration file UserIDAgentConfig.xml, for each auth source (server), there is a default-domain variable, which does not have a value by default. I tested by filling in the desired domain name to be prepended and sending via XML API usernames with and without domains and checking on firewall: UserIDAgentConfig.xml: <server-settings> <server-entry name="xxx" type="active-directory" address="xxx" port="" syslog-profile="" default-domain="xxx"/> </server-settings> In the following snippets, 10.1.1.1 is the firewall, 10.1.1.201 is the domain controller with UID Agent installed XML file sent via curl: <uid-message> <version>1.0</version> <type>update</type> <payload> <login> <entry name="uid" ip="10.1.1.121" timeout="20"/> </login> <login> <entry name="uid2" ip="10.1.1.122" timeout="20"/> </login> <login> <entry name="beta\uid3" ip="10.1.1.123" timeout="20"/> </login> <login> <entry name="gamma\uid4" ip="10.1.1.124" timeout="20"/> </login> </payload> </uid-message> File was sent via: curl -vk --form file=@uid.xml https://10.1.1.201:5006 UID Agent displays username exactly how it was sent, without interpreting the separator (@ and \ tried): and the firewall is updated: admin@pavm-7> show user ip-user-mapping all IP Vsys From User IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 10.1.1.124 vsys1 UIA gamma\uid4 222 222 10.1.1.201 vsys1 UIA alpha\panwagent 901 901 10.1.1.121 vsys1 UIA uid 397 397 10.1.1.125 vsys1 UIA uid5@delta 1127 1127 So the default-domain variable in UID Agent configuration file doesn't seem to append or overwrite a domain name to users without domain, to get something usable for user-group mapping. Certificate used in CP is just a method to validate an identity - since it's not correlated natively to an auth server/sequence, I doubt you can extract fields from cert (e. g. UPN) to check user-group mapping. If you are not trying to control internet access, but access to internal resources, Kerberos challenge introduced in PANOS 7.0 (works with browser-challenge method) might help.
... View more