https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-user-id-agent/m-p/520640#M554 <P>Hi All,</P> <P>&nbsp;</P> <P>I installed User-ID Agent on the Windows DC, and it is working somewhat successfully. For some odd reason it recognizes the users from our domain but on the app's monitoring tab, where I can see the IP-User correlations, sometimes the users are identified like this:</P> <P>domain\user</P> <P>&nbsp;</P> <P>and sometimes like this</P> <P><A href="mailto:user@domain.com" target="_blank">user@domain.com</A></P> <P>&nbsp;</P> <P>Sometimes the latter converts to the first option sometimes not.&nbsp;</P> <P>&nbsp;</P> <P>Also I'm not sure how it actually works. I was logged in to my computer and I could see myself at the list of users on User-ID Agent but after a few minutes I disappeared - while i was logged in to my machine, and actively using it. So I might be missing something?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Daniel</P> Tue, 08 Nov 2022 13:50:18 GMT olloczky1 2022-11-08T13:50:18Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-user-id-agent/m-p/520640#M554 <P>Hi All,</P> <P>&nbsp;</P> <P>I installed User-ID Agent on the Windows DC, and it is working somewhat successfully. For some odd reason it recognizes the users from our domain but on the app's monitoring tab, where I can see the IP-User correlations, sometimes the users are identified like this:</P> <P>domain\user</P> <P>&nbsp;</P> <P>and sometimes like this</P> <P><A href="mailto:user@domain.com" target="_blank">user@domain.com</A></P> <P>&nbsp;</P> <P>Sometimes the latter converts to the first option sometimes not.&nbsp;</P> <P>&nbsp;</P> <P>Also I'm not sure how it actually works. I was logged in to my computer and I could see myself at the list of users on User-ID Agent but after a few minutes I disappeared - while i was logged in to my machine, and actively using it. So I might be missing something?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Daniel</P> Tue, 08 Nov 2022 13:50:18 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-user-id-agent/m-p/520640#M554 olloczky1 2022-11-08T13:50:18Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-user-id-agent/m-p/522512#M622 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/256169">@olloczky1</a> ,</P> <P>This is most probably caused by who user credentials where sent to the AD for authentication. But if your domain is properly configured you don't have to worry. As explained here <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFnCAK" target="_blank">All about User-ID domain map - Knowledge Base - Palo Alto Networks</A> FW is able to handle this and "normalize" the username and use single format. The link describe this is happening at the integrated user-id agent (on the firewall itself), but I suspect the User-ID agent application is doing it as well, before sending it to the firewall.</P> <P>&nbsp;</P> <P>You should be able to check how FW receives user-ip mapping from the agent by looking at User-ID logs on the FW:</P> <P>Monitoring -&gt; User-ID. There you can check the following columns (if not show by default you can add it)</P> <P>- User: this will be the username after normalization</P> <P>- User Provided by Source: self explanatory</P> <P>- Source Name: the source of the user-ip-mapping information.</P> Sun, 27 Nov 2022 21:33:07 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-user-id-agent/m-p/522512#M622 aleksandar.astardzhiev 2022-11-27T21:33:07Z