topic user-id not mapping in General Topics

user-id not mapping

Marcellin — Thu, 16 Dec 2021 12:39:27 GMT

Hello community,

I'm facing an issue with user-id agentless.

i did the following configurations

Create LDAP Server Profile
LDAP/Group Mappings configured on FW
User-ID Group Mapping Settings.
server monotoring is connected
Include network set
User ID on the source Zone enabled
account service on AD with the differents rights : events log reader, user domain, server operators, Users of the com modele distributed.

When i verify the user mapping with this command : show user ip-user-mapping all, only the Ip address is displayed but the user and From tab are empty.

Can anybody tell why the mapping isn't working ? How to resolve this issue ? help

Re: user-id not mapping

Gustavo_Aristi — Wed, 12 Jan 2022 22:41:12 GMT

Hi there, it's been a while, did you get this resolved?

If so, what was your solution?

If not, can you test your server profile by running the commands in the below resource (step 2)?

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/test-the-configuration/test-the-authentication-configuration.html

You should get a successful authentication if the authentication and server profiles are working.

Also, under device > user identification > user mapping, what do you see under the "status" column for "server monitoring"? It should show a green "Connected".

Lastly, in your authentication profile, what do you see in the "Advanced" tab > Allow list?

Re: user-id not mapping

nikoolayy1 — Thu, 13 Jan 2022 08:22:09 GMT

As @Gustavo_Aristi has provided you some great info, I will add that WMI protocol is used for IP address to user mapping not LDAP, so if you are not using the Palo Alto agent see below:

How to Configure Agentless User-ID - Knowledge Base - Palo Alto Networks

Server Monitor Account (paloaltonetworks.com)

How To Verify WMI Remote Connectivity using WBEMTEST (paloaltonetworks.com)

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsrCAC

Agentless User-ID Error failed to parse security log buf - Knowledge Base - Palo Alto Networks

Sometimes the agent is better as to not cause CPU load and in some cases the server team may not allow non Microsoft devices to connect to the AD server:

Configure the Windows-Based User-ID Agent for User Mapping (paloaltonetworks.com)

Also when you get this done you could be interested in redistributing this info to other firewalls:

LIVEcommunity - Knowledge sharing: IP and user TAG Mappings redistribution for DAG / DUG - LIVEcommunity - 393030 (paloaltonetworks.com)