https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-wrong-mapping-with-specific-ips/m-p/510077#M106166 <P>Hello!<BR />Thanks for your replies. <BR />I rebooted the firewall-cluster but the wrong mapping appeared again.<BR />Then I used these commands, that solved the problem.<BR />First find the user-id with the show command, then clear the entries for this id:</P> <P><STRONG>show user user-ids match-user username</STRONG></P> <P><STRONG>clear user-policy-cache uid xx</STRONG><BR /><STRONG>clear uid-cache uid xx</STRONG><BR /><STRONG>clear uid-map-cache uid xx</STRONG></P> <P>&nbsp;</P> Wed, 27 Jul 2022 19:25:18 GMT ChrisCon2355 2022-07-27T19:25:18Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-wrong-mapping-with-specific-ips/m-p/509815#M106123 <P>Hello,<BR />since a few days we see strange things with User-ID-agent.<BR />For some specific IP-addresses there are shown wrong users. This users even are not in the internal AD, they are just external VPN users invited from Azure. But they are mapped to internal ip addresses. Even if they are not online over VPN.<BR />When looking into Monitor - User-ID in the column "user provided by source" there is the correct user. But in the column "user" the wrong user is shown. And this is also what we see in the CLI. We've cleaned the user-cache, installed now User-ID-Agent on the domain controllers (but of course, there the correct users are shown).<BR />Running Pan-OS 10.1.6-h3 on the firewalls.<BR />Any ideas?</P> <P>Thanks.</P> Mon, 25 Jul 2022 17:07:09 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-wrong-mapping-with-specific-ips/m-p/509815#M106123 ChrisCon2355 2022-07-25T17:07:09Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-wrong-mapping-with-specific-ips/m-p/509844#M106125 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/219283">@ChrisCon2355</a>,</P> <P>Do these users utilize any services on these internal IPs that would cause them to authenticate to the host in question? If the service is using standard Windows Auth, that might help explain why these users are showing on internal resources.</P> <P>&nbsp;</P> <P>If the User is differentiating from the User Provided by Source, have you verified the attributes that you have configured in regards to the source? Is it possible that whatever is triggering these authentication events is using a different directory attribute that you aren't expecting, causing them to match when they shouldn't? Maybe some relayed authentication events is using the same sAMAccountName or userPrincipalName or whatever you have the Primary Username attribute setup to?&nbsp;</P> Mon, 25 Jul 2022 21:16:53 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-wrong-mapping-with-specific-ips/m-p/509844#M106125 BPry 2022-07-25T21:16:53Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-wrong-mapping-with-specific-ips/m-p/510077#M106166 <P>Hello!<BR />Thanks for your replies. <BR />I rebooted the firewall-cluster but the wrong mapping appeared again.<BR />Then I used these commands, that solved the problem.<BR />First find the user-id with the show command, then clear the entries for this id:</P> <P><STRONG>show user user-ids match-user username</STRONG></P> <P><STRONG>clear user-policy-cache uid xx</STRONG><BR /><STRONG>clear uid-cache uid xx</STRONG><BR /><STRONG>clear uid-map-cache uid xx</STRONG></P> <P>&nbsp;</P> Wed, 27 Jul 2022 19:25:18 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-wrong-mapping-with-specific-ips/m-p/510077#M106166 ChrisCon2355 2022-07-27T19:25:18Z