- DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent SetupCache
To ensure that the firewall has the most current user mapping information as users roam and obtain new IP addresses, configure timeouts for clearing user mappings from the firewall cache. This timeout applies to user mappings learned through any method except Captive Portal. For mappings learned through Captive Portal, set the timeout in the Captive Portal Settings (Device > User Identification > Captive PortalSettings, Timer and Idle Timer fields).
To match usernames collected from User-ID sources even if a domain is not included, configure the firewall to allow matching usernames without domains. You should only use this option if the usernames in your organization are not duplicated across domains.
Enable User Identification Timeout
Select this option to enable a timeout value for user mapping entries. When the timeout value is reached for an entry, the firewall clears it and collects a new mapping. This ensures that the firewall has the most current information as users roam and obtain new IP addresses.
Enable the timeout to ensure the firewall has the most current user-to-IP-address mapping information.
User Identification Timeout (min)
Set the timeout value in minutes for user mapping entries (range is 1 to 3,600; default is 45).
Set the timeout value to the half-life of the DHCP lease or to the Kerberos ticket lifetime.
If you configure firewalls to redistribute mapping information, each firewall clears the mapping entries it receives based on the timeout you set on that firewall, not on the timeouts set in the forwarding firewalls.
Allow matching usernames without domains
Select this option to allow the firewall to match users if the domain is not provided by the User-ID source. To prevent users from being misidentified, only select this option if your usernames are not duplicated across domains.
Before you enable this option, verify that the firewall has fetched the group mappings from the LDAP server.
Map Users to Groups
Map Users to Groups Defining policy rules based on user group membership rather than individual users simplifies administration because you don’t have to update the ...
Palo Alto Networks User-ID Agent Setup
These settings define the methods that the User-ID agent uses to perform user mapping. ...
User Identification User Identification (User-ID™) is a Palo Alto Networks® next-generation firewall feature that seamlessly integrates with a range of enterprise directory and terminal services ...
Deploy User-ID in a Large-Scale Network
Deploy User-ID in a Large-Scale Network A large-scale network can have hundreds of information sources that firewalls query to map IP addresses to usernames and ...
Support for Multiple Username Formats
Multiple username formats are now supported for User-ID sources when you specify the user attributes for the firewall to collect from an LDAP directory. ...
Map IP Addresses to Usernames Using Captive Portal
Map IP Addresses to Usernames Using Captive Portal When a user initiates web traffic (HTTP or HTTPS) that matches an Authentication Policy rule, the firewall ...
Configure Session Timeouts
Configure Session Timeouts A session timeout defines the duration of time for which PAN-OS maintains a session on the firewall after inactivity in the session. ...
ARP Cache Timeout
You can configure the ARP cache timeout setting to control how long the firewall keeps mappings of IP addresses to hardware addresses in its ARP ...
Authentication Timestamps When configuring an Authentication policy rule, you can specify a timeout period during which a user authenticates only for initial access to services ...