https://live.paloaltonetworks.com/t5/general-topics/user-id-anomalies/m-p/604258#M119934 <P>Hi,</P> <P>&nbsp;</P> <P>I had a strange behaviour with some user on user ID. We have 2 site A and B and our firewall have the mapping from the same agent.</P> <P>&nbsp;</P> <P>we found that user1 access site A and user2 access site B.</P> <P>issue that we found that user1 is access site B using the user2 IP.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DennyChanditya_0-1729151292634.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/63006iE104290980EC4CDE/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="DennyChanditya_0-1729151292634.png" alt="DennyChanditya_0-1729151292634.png" /></span></P> <P>&nbsp;</P> <P>We check on each site the mapping is fine, but we dont find the user1 mapping to IP user2 on all firewall.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DennyChanditya_1-1729151338014.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/63007i95B4137D08CF2211/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="DennyChanditya_1-1729151338014.png" alt="DennyChanditya_1-1729151338014.png" /></span></P> <P>&nbsp;</P> <P>we check on User ID logs GUI and CLI it dont have any history about user1 was mapping to IP that user2 is using.</P> <P>&nbsp;</P> <P>Any clue where i can find this data related to user id mapping, because i was use all the CLI command but didn't find the information that&nbsp;user1 was mapping to IP user2.</P> <P>&nbsp;</P> <P>Thanks before.</P> <P>&nbsp;</P> Thu, 17 Oct 2024 07:49:03 GMT DennyChanditya 2024-10-17T07:49:03Z https://live.paloaltonetworks.com/t5/general-topics/user-id-anomalies/m-p/604258#M119934 <P>Hi,</P> <P>&nbsp;</P> <P>I had a strange behaviour with some user on user ID. We have 2 site A and B and our firewall have the mapping from the same agent.</P> <P>&nbsp;</P> <P>we found that user1 access site A and user2 access site B.</P> <P>issue that we found that user1 is access site B using the user2 IP.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DennyChanditya_0-1729151292634.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/63006iE104290980EC4CDE/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="DennyChanditya_0-1729151292634.png" alt="DennyChanditya_0-1729151292634.png" /></span></P> <P>&nbsp;</P> <P>We check on each site the mapping is fine, but we dont find the user1 mapping to IP user2 on all firewall.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DennyChanditya_1-1729151338014.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/63007i95B4137D08CF2211/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="DennyChanditya_1-1729151338014.png" alt="DennyChanditya_1-1729151338014.png" /></span></P> <P>&nbsp;</P> <P>we check on User ID logs GUI and CLI it dont have any history about user1 was mapping to IP that user2 is using.</P> <P>&nbsp;</P> <P>Any clue where i can find this data related to user id mapping, because i was use all the CLI command but didn't find the information that&nbsp;user1 was mapping to IP user2.</P> <P>&nbsp;</P> <P>Thanks before.</P> <P>&nbsp;</P> Thu, 17 Oct 2024 07:49:03 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-anomalies/m-p/604258#M119934 DennyChanditya 2024-10-17T07:49:03Z https://live.paloaltonetworks.com/t5/general-topics/user-id-anomalies/m-p/606699#M120368 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/187777">@DennyChanditya</a>,</P> <P>Looks like you're using XFF for mapping which complicates things. You might want to spend some time with&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/identify-users-connected-through-a-proxy-server/use-xff-values-for-policies-and-logging-source-users" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/identify-users-connected-through-a-proxy-server/use-xff-values-for-policies-and-logging-source-users</A>&nbsp;more specifically&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/identify-users-connected-through-a-proxy-server/add-xff-values-to-url-filtering-logs#id1bc409ba-74ba-4402-8480-ffa128542926" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/identify-users-connected-through-a-proxy-server/add-xff-values-to-url-filtering-logs#id1bc409ba-74ba-4402-8480-ffa128542926</A>&nbsp;mentioned on that page.&nbsp;</P> Thu, 17 Oct 2024 23:30:53 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-anomalies/m-p/606699#M120368 BPry 2024-10-17T23:30:53Z https://live.paloaltonetworks.com/t5/general-topics/user-id-anomalies/m-p/606750#M120399 <P>We are not using XFF Configuration, only user ID from the agent, issue here we didnt find the mapping for specific user on user-id logs even no history about it. but on traffic log it shows the IP is&nbsp; used by that source user</P> Fri, 18 Oct 2024 04:01:28 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-anomalies/m-p/606750#M120399 DennyChanditya 2024-10-18T04:01:28Z https://live.paloaltonetworks.com/t5/general-topics/user-id-anomalies/m-p/615707#M121843 <P>Still not getting update until now, already opencase</P> <P>we found that in one session, it was different logs from Traffic log GUI and CLI<BR />from GUI it was incorrect mapping ip and user, but in CLI it was correct mapping for ip and user.</P> <P>&nbsp;</P> <P>userid agent and user id logs is fine, they have the right mapping, but only in the traffic logs</P> Wed, 30 Oct 2024 03:44:45 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-anomalies/m-p/615707#M121843 DennyChanditya 2024-10-30T03:44:45Z https://live.paloaltonetworks.com/t5/general-topics/user-id-anomalies/m-p/615768#M121852 <P>What code are you running? We ran into an issue where ID mapping wasn't correct on 3410s running 10.2.7, it was identified as <SPAN>PAN-239366.&nbsp; Maybe you're hitting this bug?&nbsp; A reboot of firewalls was needed to get the mapping to show correctly.&nbsp; There was also a debug command which could be ran in-lieu-of the reboot, but my suggestion is to confirm with TAC your issue could be related to this bug.&nbsp; If it is they can also provide a work around.</SPAN></P> <P>&nbsp;</P> <P><SPAN>I think 10.2.10-h4 fixes this bug, TAC can also confirm this.</SPAN></P> Wed, 30 Oct 2024 13:09:06 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-anomalies/m-p/615768#M121852 Brandon_Wertz 2024-10-30T13:09:06Z https://live.paloaltonetworks.com/t5/general-topics/user-id-anomalies/m-p/626213#M122082 <P>Im usngi PA5220, with 10.2.9-h1, as the last activity we do the restart log-receiver on the firewall as per TAC said.</P> <P>still dont know what cause this, but so far the uid agent mapping and users on log traffic is correct.</P> <P>&nbsp;</P> <P>we still monitoring until now, because we found out that the traffic&nbsp; log from GUI and CLI is different for showing the source users.</P> Tue, 19 Nov 2024 08:19:32 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-anomalies/m-p/626213#M122082 DennyChanditya 2024-11-19T08:19:32Z