Solving Palo Alto User-IP Mapping issue while connecting via Pulse Secure VPN

     In Palo Alto firewalls you can create username based rules. But TCP connections do not rely on usernames, they are based on source ip address, destination ip address, source port, destination port etc. So there should be mapping that will tell firewall which ip is mapped to the username. Palo Alto has various methods to collect and populate user-ip mappings table.
   
     In a Windows environment firewall admins used to integrate User-ID agent with Active Directory to listen logon events. So when a user logins to his/her PC in a domain, user-ip mapping is created from the logon event that is generated on the DC.

    After this brief introduction about user-ip mapping lets come to the issue, If  two users get same ip in a sequence.

   When users get connected to the corporate network via Pulse Secure VPN they are assigned an ip from the pool of a DHCP server. After this assignment, Palo Alto user id agent creates the user-ip mapping. When that specific user disconnected from the VPN, Pulse Secure sends DHCP release and the IP address sent back to the available ip pool. But the user-ip mapping is not cleared on the user-id agent side. So when another user gets connected and gets the same ip, all rules will be also valid for this user. But this is a really serious security issue.

   To solve this issue you can configure user-id agent as a syslog server and configure Pulse Secure VPN to forward auth events to this server. ,

   First you should define login-event regex to create user-ip mapping and logout regex  to clear user-ip mapping.

     Then you should add Pulse Secure VPN ip as a syslog sender and add above event filters to the profile.

    After these settings user-ip mappings will updated as expected. And no wrong user-ip mapping will occur.