topic Re: Traffic log source user different from User-ID log in General Topics

Traffic log source user different from User-ID log

EdmarFrancis — Mon, 29 Jul 2024 08:16:55 GMT

Hi everyone,

Greetings!

PA-1410
11.0.4-h1

I have a bit odd issue, the traffic log (ip address) is showing a local firewall account as the source user but when checking the user-mapping (show user ip-user-mapping ip) or User-ID log was mapped to an AD-user.

Is it possible for the local firewall account to show as a source user?
is it possible that this is just a GUI bug?

deleted the local firewall account and seems to have the issue fixed.

Re: Traffic log source user different from User-ID log

JayGolf — Wed, 31 Jul 2024 18:09:07 GMT

Hi @EdmarFrancis ,

Since deleting the local fw fixed the issue, it could be a User-ID cache issue. You can try running a command like "clear user-cache all" next time to see if it fixes the issue. The User-ID cache on the fw might have had stale or incorrect entries, causing the local firewall account to be shown in the traffic log.

Re: Traffic log source user different from User-ID log

EdmarFrancis — Thu, 01 Aug 2024 05:09:53 GMT

Hi @JayGolf , thanks for your response. did try to delete the cache (clear user-cache ip xx.xx) but same. It seems to be legitimate traffic.
Per my understanding the local firewall user is able to show as source user when for example used to authenticate to GlobalProtect app or Captive portal, is that right?

Re: Traffic log source user different from User-ID log

Brandon_Wertz — Tue, 06 Aug 2024 15:30:02 GMT

@EdmarFrancis wrote:

Hi everyone,

Greetings!

PA-1410
11.0.4-h1

I have a bit odd issue, the traffic log (ip address) is showing a local firewall account as the source user but when checking the user-mapping (show user ip-user-mapping ip) or User-ID log was mapped to an AD-user.

Is it possible for the local firewall account to show as a source user?
is it possible that this is just a GUI bug?

deleted the local firewall account and seems to have the issue fixed.

@EdmarFrancis I know you mentioned deleting a user fixed your issue, but i have hit a user ID bug where the IP to user-id mapping was wrong. It was identified as PAN-239366 which is fixed in these versions: "11.2.0, 11.1.3, 10.2.10, 10.2.11, 11.1.5, 10.2.4-h19, 12.1.0, 10.2.9-h9" (List I got from TAC, that said they didn't indicate an 11.0.X version which seems weird.)

There is a work around for this, which is to restart both firewalls (obviously very intrusive) or running this command "debug software restart process log-receiver." I'm not certain of the impact of that restart command, so I would advise reaching out to TAC to confirm if you're hitting this bug or run the command in a maintenance window.

Re: Traffic log source user different from User-ID log

EdmarFrancis — Wed, 07 Aug 2024 07:08:37 GMT

@Brandon_Wertz appreciate you sharing information.
For your issue, is the user that is wrongly mapped both an AD user?
Since in my case, it is a local firewall user.

Re: Traffic log source user different from User-ID log

Brandon_Wertz — Wed, 07 Aug 2024 12:57:30 GMT

@EdmarFrancis wrote:

@Brandon_Wertz appreciate you sharing information.
For your issue, is the user that is wrongly mapped both an AD user?
Since in my case, it is a local firewall user.

It was an AD mapped user (Both were AD mapped.) I'm honestly not sure if this bug could be matched to local user account.