topic Re: source user showing as unknown in traffic monitor in General Topics

source user showing as unknown in traffic monitor

dthibodeaux — Tue, 03 Feb 2015 17:50:45 GMT

Found an issue on a customer's firewall. For some reason, the “source user” becomes unknown while students are using a web application called Istation. When that happens, the web traffic for that IP address becomes blocked by another policy. She wrote a specific policy for Istation traffic even if the user is unknown to resolve this issue. But the real question is….Why is the “source user” blanking out in the middle of using a web application?

Appreciate your thoughts and suggestions.

Thanks

Re: source user showing as unknown in traffic monitor

oklier — Tue, 03 Feb 2015 19:19:13 GMT

I'm fighting a similar issue on my side especially with users on VPN getting the wrong web-filtering policy. I have not seen the 'unknown' source user, its usually just he username on the VPN without the domain (in my case so this is why they get the wrong policy). Support did provide guidance on this for me, perhaps they can do the same for you?

Another thing that just occurred to me, how many user-id agents are you using or are you using the PAN's for the direct lookup?

Re: source user showing as unknown in traffic monitor

dthibodeaux — Tue, 03 Feb 2015 21:14:27 GMT

haven't opened a case yet...we may try to upgrade to at least 6.0.7 and see if that helps. The agent is installed on one server.

Re: source user showing as unknown in traffic monitor

oklier — Tue, 03 Feb 2015 21:17:05 GMT

I would say depending on the size of the environment including AD, I would recommend bumping that number up to maybe two or three. That way if one is not responding or up, you have something to refer to.

Re: source user showing as unknown in traffic monitor

emr_1 — Wed, 04 Feb 2015 02:37:19 GMT

A couple of my customers hit similar issue.

Does your firewall run over 388 days?

There is one fixed issue which is bug#64166. (you can find it in 5.0.14 RN or 6.0.4 RN.

Re: source user showing as unknown in traffic monitor

Quinton — Thu, 05 Feb 2015 16:06:12 GMT

Sounds like the user is caching out. Nothing to do with the application. I'm assuming these computers are part of the domain since you do pick up the user initially through the user-ID agent. Did you enable "Server session monitoring" in the userID agent? Also is WMI probing enabled and working? Both these mechanisms will help keep the user to IP mappings fresh.

Re: source user showing as unknown in traffic monitor

dthibodeaux — Wed, 11 Feb 2015 19:28:09 GMT

@emr-the box has not been up that long. Thanks

@Quinton- not sure on the session monitoring..I will check. Will also check WMI probing. How would I know if it is working or not?? These are actually wireless users, if that matters.

Thanks!

Re: source user showing as unknown in traffic monitor

Quinton — Thu, 12 Feb 2015 10:49:48 GMT

Wireless is no problem. Are these devices part of the Windows domain?

Re: source user showing as unknown in traffic monitor

Wenar — Thu, 12 Feb 2015 14:13:52 GMT

Do you use wmi probing?

What do you see with the following command: debug user-id dump probing-stats

If you use probing and it fails three times to get a user from the client, the already mapped user will be deleted for the IP address.