User-id ip mapping issue

JoDongWook — Tue, 13 Aug 2024 09:35:22 GMT

Hi all

my customer having problem with user-id

I am trying to solve this issue but not working, so I need help

Customer divice pa-3410 panOS10.2.9 connection with microsoft Active-directory 2012R2(not sure)

Its agenteless user-id, winrm http, ldap and keberos connection.

for example VPN user(3rdParty vpn) get Auth from AD with SSO (fri/k-yunsw)

Local user get auth from AD with (fri/yunsw) both user same person but they has different IP(different zone, vpn user has no group on AD server, local user has group on AD server)

If fri/yunsun loged in as local user some times PA reconiging as a local user(user-id log fri/yunsun, its correct.) but, traffic monitor says fri/k-yunsw, so the traffic has denied.

After then I ignore user 'fri/k-*'(add ignore user list) but still PA monitor log says 'fri/k-xxx user dinied'.

I checked cli

'show user ip-user-mapping all | fri/k-' not poped up

admin@NGFW> show log userid | match k-yunsw not poped up

admin@NGFW>

3, there is only fri\yunsw

8...skipping...

985,0x0,0,0,0,0,NGFW-USER,NGFW,2,,2024/08/09 11:37:22,1,0x80000000,fri\yunsw,,2024-08-09T11:37:32.551+09:00

1,2024/08/09 12:49:49,024101008522,USERID,login,2562,2024/08/09 12:49:49,vsys2,172.25.20.141,fri\yunsw,tdc.fri.kr,0,1,7187,0,0,active-directory,,7362383078554855078,0x0,0,0,0,0,NGFW-USER,NGFW,2,,2024/08/09 12:49:36,1,0x80000000,fri\yunsw,,2024-08-09T12:49:49.974+09:00

1,2024/08/09 13:19:05,024101008522,USERID,login,2562,2024/08/09 13:19:05,vsys2,172.25.20.141,fri\yunsw,tdc.fri.kr,0,1,7187,0,0,active-directory,,7362383078554861902,0x0,0,0,0,0,NGFW-USER,NGFW,2,,2024/08/09 13:18:52,1,0x80000000,fri\yunsw,,2024-08-09T13:19:05.627+09:00

1,2024/08/09 14:04:50,024101008522,USERID,login,2562,2024/08/09 14:04:50,vsys2,172.25.20.141,fri\yunsw,tdc.fri.kr,0,1,7189,0,0,active-directory,,7362383078554872019,0x0,0,0,0,0,NGFW-USER,NGFW,2,,2024/08/09 14:04:39,1,0x80000000,fri\yunsw,,2024-08-09T14:04:50.485+09:00

1,2024/08/09 14:48:49,024101008522,USERID,login,2562,2024/08/09 14:48:49,vsys2,172.25.20.141,fri\yunsw,tdc.fri.kr,0,1,7186,0,0,active-directory,,7362383078554882345,0x0,0,0,0,0,NGFW-USER,NGFW,2,,2024/08/09 14:48:36,1,0x80000000,fri\yunsw,,2024-08-09T14:48:50.029+09:00

1,2024/08/09 15:25:53,024101008522,USERID,login,2562,2024/08/09 15:25:53,vsys2,172.25.20.141,fri\yunsw,tdc.fri.kr,0,1,7190,0,0,active-directory,,7362383078554890596,0x0,0,0,0,0,NGFW-USER,NGFW,2,,2024/08/09 15:25:44,1,0x80000000,fri\yunsw,,2024-08-09T15:25:54.339+09:00

1,2024/08/09 15:37:10,024101008522,USERID,login,2562,2024/08/09 15:37:10,vsys2,172.25.20.141,fri\yunsw,tdc.fri.kr,0,1,7186,0,0,active-directory,,7362383078554892997,0x0,0,0,0,0,NGFW-USER,NGFW,2,,2024/08/09 15:36:56,1,0x80000000,fri\yunsw,,2024-08-09T15:37:10.937+09:00

1,2024/08/09 15:44:54,024101008522,USERID,login,2562,2024/08/09 15:44:54,vsys2,172.25.20.141,fri\yunsw,pdc.fri.kr,0,1,7176,0,0,active-directory,,7362383078554894785,0x0,0,0,0,0,NGFW-USER,NGFW,2,,2024/08/09 15:44:30,1,0x80000000,fri\yunsw,,2024-08-09T15:44:54.764+09:00

1,2024/08/09 16:07:56,024101008522,USERID,login,2562,2024/08/09 16:07:56,vsys2,172.25.20.141,fri\yunsw,tdc.fri.kr,0,1,7188,0,0,active-directory,,7362383078554899688,0x0,0,0,0,0,NGFW-USER,NGFW,2,,2024/08/09 16:07:44,1,0x80000000,fri\yunsw,,2024-08-09T16:07:56.830+09:00

1,2024/08/09 16:16:47,024101008522,USERID,login,2562,2024/08/09 16:16:47,vsys2,172.25.20.141,fri\yunsw,pdc.fri.kr,0,1,7179,0,0,active-directory,,7362383078554901455,0x0,0,0,0,0,NGFW-USER,NGFW,2,,2024/08/09 16:16:27,1,0x80000000,fri\yunsw,,2024-08-09T16:16:48.197+09:00

1,2024/08/09 16:27:11,024101008522,USERID,login,2562,2024/08/09 16:27:11,vsys2,172.25.20.141,fri\yunsw,tdc.fri.kr,0,1,7191,0,0,active-directory,,7362383078554904535,0x0,0,0,0,0,NGFW-USER,NGFW,2,,2024/08/09 16:27:02,1,0x80000000,fri\yunsw,,2024-08-09T16:27:11.922+09:00

1,2024/08/09 16:47:43,024101008522,USERID,login,2562,2024/08/09 16:47:43,vsys2,172.25.20.141,fri\yunsw,tdc.fri.kr,0,1,7200,0,0,active-directory,,7362383078554912869,0x0,0,0,0,0,NGFW-USER,NGFW,2,,2024/08/09 16:47:44,1,0x80000000,fri\yunsw,,2024-08-09T16:47:44.058+09:00

admin@NGFW> GGGGGG

A few days later I checked 'Enable Server Session Read' but Customer says still not working.

any idea??

topic User-id ip mapping issue in Next-Generation Firewall Discussions

User-id ip mapping issue