Thanks for the kind words! Much appreciated.

It seems that PAN is confused when there is multiple user logged in on a windows computer. Some users did not log out and when new user log in, the IP user mapping is not updated. Do you have any idea on how to fix this?

@@ANCsounds It sounds like this a multi-use system, like terminal services for Citrix or Windows. If that's the case, PANW has a terminal services agent that can be installed on the machine and each user will be identified with a set of source ports to use. It's available for download on the customer support portal. If, however, this is a normal machine and not a terminal services client, the agent/firewall should pick up the changes when it checks in with your AD/syslog server.

Absolutely! This is a common method we use to pull mappings from other sources. The most common is getting IP/User-ID info from wireless controllers or NAC solutions. Here's an article on how to configure it using Aruba wireless as an example. live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Collect-the-User-IP-Mappings-from-a-Syslog-Sender-Using/ta-p/62085

Nevermind, figured it out. Got it working.

Interesting question- the User-ID process is designed to match a username to an IP address. Since we operate at the network layer, we can't normally see the source/destination mac address. We see only the next hop mac. So...no, if using standard User-ID methods. There is a way to do it though. If we use the Global Protect client on the endpoint and do HIP (Host Information Profile) check, we can pull the machine name or mac address and create an exclusion list based on that. If this is a bit much, you could do a DHCP reservation and create an exclusion around the reserved IP. Hope this helps!

Thanks Jeff. I would love to create the exclusion list around reserved IPs. I have the IP's already reserved. Can you point me to where the exclusion list is defined in the documentation? I have some users who are using Mac High Sierra and the password override (for URL Filtering) is not working. The site is blocked completely. Earlier Mac versions provide the opportunity to enter the password...as with Windows users via Edge. Chrome blocks sites completely even though override is specified. Had to add a certificate for Windows to allow the override at all. Also, question... User Mapping does nothing unless you have a AD (or Microsoft Exchange, etc.) server, correct? Thanks again.

I'm assuming a couple of things when writing this response but if there isn't an exclusion list capability for a url profile. You can do 'Negate' on source and destination addresses to say that the policy applies to NOT that ip address or range. What I would do, though, is create a policy above the current one and put a permit policy with with reserved IP addresses. We do something like this all the time when users haven't adopted user-id, but have execs or owners that need open access while the rest of the org has a standard internet policy. Execs have the policy above the standard policy and have open access. On the group question- you're right, to get a user-id-to-group mapping you'll need to be connected to either AD or LDAP and ingest group memberships. If you're planning on doing this, make sure you filter groups so that you only get the ones you're using in policy, not the entire AD/LDAP group structure. While it's NORMALLY not an issue, we've seen some companies with 20,000+ AD groups overrun the tables on the NGFW because they didn't enable filtering.

Since this is a connection to AD, as long as there is an authentication that takes place to the domain, you should see the user/IP mapping. I would recommend checking the logs in AD and verifying that you're seeing the authentication. After that, contact TAC so they can walk through the issue with you.

Depending on the number/type of user-id sources, this is not unusual. Palo Alto Networks understands that the firewall may receive multiple formats. There's a couple ways to handle it, but it's all spelled out in the following admin guide walkthrough for how to handle multiple formats. Read it over and definitely look at steps 3 and 4 of the guide. I think it will help. docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/user-id-features/support-for-multiple-username-formats

If I remember right from when I made the video, there was enough of a time gap that my user mappings had timed out. Check the timeout settings in Device->Userid and under the userid agent setup. In a standard corporate environment, 45 minutes is usually plenty for a timeout, but in a lab environment or where users don't login to resources as much, you might have to increase to 2 hours (or 4 or 8).

I'm playing it from youtube now and volume seems fine. Are you still having the issue, and can you elaborate on the problem?