1. Home
    2. PAN-OS
    3. PAN-OS Web Interface Reference
    4. User Identification
    5. Device > User Identification > User Mapping
    6. Palo Alto Networks User-ID Agent Setup
    7. Cache

    Cache

    • Device
      User Identification
      User Mapping
      Palo Alto Networks User-ID Agent Setup
      Cache
    To ensure that the firewall has the most current user mapping information as users roam and obtain new IP addresses, configure timeouts for clearing user mappings from the firewall cache. This timeout applies to user mappings learned through any method except Captive Portal. For mappings learned through Captive Portal, set the timeout in the Captive Portal Settings (Device > User Identification > Captive PortalSettings,
    Timer
     and
    Idle Timer
     fields).
    To match usernames collected from User-ID sources even if a domain is not included, configure the firewall to allow matching usernames without domains. You should only use this option if the usernames in your organization are not duplicated across domains.
    Cache Settings
    Description
    Enable User Identification Timeout
    Select this option to enable a timeout value for user mapping entries. When the timeout value is reached for an entry, the firewall clears it and collects a new mapping. This ensures that the firewall has the most current information as users roam and obtain new IP addresses.
    Enable the timeout to ensure the firewall has the most current user-to-IP-address mapping information.
    User Identification Timeout (min)
    Set the timeout value in minutes for user mapping entries (range is 1 to 3,600; default is 45).
    Set the timeout value to the half-life of the DHCP lease or to the Kerberos ticket lifetime.
    If you configure firewalls to redistribute mapping information, each firewall clears the mapping entries it receives based on the timeout you set on that firewall, not on the timeouts set in the forwarding firewalls.
    Allow matching usernames without domains
    Select this option to allow the firewall to match users if the domain is not provided by the User-ID source. To prevent users from being misidentified, only select this option if your usernames are not duplicated across domains.
    Before you enable this option, verify that the firewall has fetched the group mappings from the LDAP server.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo