USER-ID Settings: Why is the "User Identification Timeout" a global setting

ottench — Wed, 19 Mar 2014 13:05:27 GMT

Hi,

i use a syslog collector to receive ip-user-mappings from an Juniper Secure Access Gateway.

It works quite fine, i created a custom syslog filter on my paloalto and created the correspondig Server Monitor entry for my Juniper Systems.

a simple "show user server-monitor state all" on the commandline shows that the collector receives the corresponding logs and that the filter works:

UDP Syslog Listener Service is enabled
SSL Syslog Listener Service is disabled

Proxy: xxxxx    Host: xxxxx(1xxx.xxx.xxx.xxx)
        number of log messages                            : 83
        number of auth. success messages                  : 16

additionaly the commands "show user ip-user-mapping all type SYSLOG" show that the current mappings:

From

User

IdleTimeout(s) MaxTimeout(s)

--------------- ------- --------------------------- -------------- -------------

xxx.xxx.xxx.xxx SYSLOG xxx	2429	2429
xxx.xxx.xxx.xxx SYSLOG xxx	1619	1619
xxx.xxx.xxx.xxx SYSLOG xxx	2404	2404
xxx.xxx.xxx.xxx SYSLOG xxx	2678	2678

Total: 4 users

The probem is that my juniper does not log any keep alive messages, so when the "Idle Timeout" or the "Max Timeout" on the paloalto for the mapping is reached. The mapping will be deleted, regardless of a still existing session on my juniper.

I thought that one solution might be to increase the "User Identification Timeout" but then i saw that this is a global setting on the pa and that this setting will also increase the Timeouts for my AD User-Agent and my Terminalserver-Agents.

Why can there be different timeout values for the different User-ID Domains, i saw that you already seperated them ...

AD	Active Directory
CP	Captive Portal
EDIR	eDirectory
GP	Global Protect
NTLM	NTLM

SSL/VPN SSL VPN

SYSLOG	Syslog
UIA	User-ID Agent

UNKNOWN Unknown

XMLAPI

XML API

Kind regards

Christoph

Re: USER-ID Settings: Why is the "User Identification Timeout" a global setting

tomasz.niewdana — Sat, 19 Apr 2014 20:44:39 GMT

Hi,

You could parse syslog messages on another device (ex. Linux), and next generate XML-API update request to USER-ID with choosen timeout value.

Juniper -> (Syslog) -> Linux Server -> (XML-API) -> Palo Device

Setting the Timeout for User to IP mapping Created Using User-ID XML-API

http://www.rsyslog.com/doc/v8-stable/configuration/actions.html?highlight=execute#shell-execute

Re: USER-ID Settings: Why is the "User Identification Timeout" a global setting

CHammock — Tue, 22 Apr 2014 08:34:06 GMT

It looks like you are using the onbox agent to send the syslog to. If you have the resource why don't you install the V6 UserID agent on a server and point the syslog from the Juniper to that. The timeout setting on the agent will then be unique to only your syslog users.

I do however agree that you should be able to set different timeout values for each type of user-ip mapping. But the above should be a sufficient work around

topic Re: USER-ID Settings: Why is the "User Identification Timeout" a global setting in Automation/API Discussions

USER-ID Settings: Why is the "User Identification Timeout" a global setting

Re: USER-ID Settings: Why is the "User Identification Timeout" a global setting

Re: USER-ID Settings: Why is the "User Identification Timeout" a global setting