Lessons learned : Global Protect + User ID w/ Palo Alto Networks firewall

Scenario : A palo alto firewall has been successfully setup to use global protect, along with LDAP authentication. Also, USER-ID has been setup internally,with firewall policies written to include username / groups. This allows the firewall administrator to deploy consistent firewall policies to both internal and VPN users, based on active directory groups

Problem: After a relatively long period of time (months), global protect users complain that although they can connect successfully, no internal resources are reachable over VPN. Further investigation on the firewall shows that the firewall correctly authenticates the user:

show user ip-user-mapping all

In the output of the above command, look for “GP” in the “from” column. The firewall also correctly maps the user to the correct group:

show user group name 6pmmalta\abcxyz

However, the firewall traffic logs show the user generated traffic hitting the default deny rule that should be fired only when a user is not identified, or not placed in the correct group. This obviously seems to be a bug of some kind, one which I think is related to user caching. The following workaround got us back up and running:

1. Run the following commands to refresh the user-group mappings:

debug user-id clear group all

debug user-id refresh group-mapping all

clear user-cache

2. Defined a bogus user id agent under “device > user identification > user-id agents”. Commited configuration

3. Deleted the above user id agent and re-committed

After the above three steps were taken, VPN connectivity was restored.