https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4087#M3026 <HTML><HEAD></HEAD><BODY><P>we already tried both but report comes empty.</P></BODY></HTML> Tue, 09 Jul 2013 12:02:05 GMT Retired Member 2013-07-09T12:02:05Z https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4085#M3024 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>When we try to get custom reports by typing a query for source user(domain\group) and run now, it gets empty.when we type user name it is working.</P><P>Any idea ?</P><P></P><P>Thanks</P></BODY></HTML> Tue, 09 Jul 2013 07:18:16 GMT https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4085#M3024 Retired Member 2013-07-09T07:18:16Z https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4086#M3025 <HTML><HEAD></HEAD><BODY><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">Try following query : </P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><SPAN style="font-style: inherit; font-family: 'courier new', courier;">(user.src in 'cn=home,cn=users,dc=amb,dc=local') </SPAN></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><SPAN style="font-style: inherit; font-family: 'courier new', courier;">OR (user.src in 'amb\home')</SPAN></P></BODY></HTML> Tue, 09 Jul 2013 09:15:49 GMT https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4086#M3025 UhMayYeah 2013-07-09T09:15:49Z https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4087#M3026 <HTML><HEAD></HEAD><BODY><P>we already tried both but report comes empty.</P></BODY></HTML> Tue, 09 Jul 2013 12:02:05 GMT https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4087#M3026 Retired Member 2013-07-09T12:02:05Z https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4088#M3027 <HTML><HEAD></HEAD><BODY><P>Can you query traffic logs&nbsp; using query in above formats?</P></BODY></HTML> Tue, 09 Jul 2013 18:59:47 GMT https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4088#M3027 UhMayYeah 2013-07-09T18:59:47Z https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4089#M3028 <HTML><HEAD></HEAD><BODY><P>for users yes we can query with domain\user</P></BODY></HTML> Tue, 09 Jul 2013 20:39:19 GMT https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4089#M3028 Retired Member 2013-07-09T20:39:19Z https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4090#M3029 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The log format in 3.x is</P><P></P><P>domain, receive_time, serial, type, subtype, config_ver, time_generated, src, dst, natsrc, natdst, rule, srcuser, dstuser, app, vsys, from, to, inbound_if, outbound_if, logset, time_received,</P><P>sessionid, repeatcnt, sport, dport, natsport, natdport, flags, proto, action, bytes, bytes_sent, bytes_received, packets, start, elapsed, category, padding</P><P></P><P>If the record of the group is not written to the traffic log, i suppose it is an expected behavior that the queries based on groups will return empty.</P><P></P><P>I may be wrong since its 3.x panos.</P><P></P><P>Regards,</P><P></P><P>Deepak</P></BODY></HTML> Tue, 09 Jul 2013 22:10:38 GMT https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4090#M3029 dpalani 2013-07-09T22:10:38Z https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4091#M3030 <HTML><HEAD></HEAD><BODY><P>Try this :</P><P></P><P>&gt; show user ip-user-mapping ip &lt;ip of the user which shows up in traffic Logs&gt;</P><P></P><P>Use the Group in the Group(s) field for the query in the traffic logs&nbsp; :&nbsp; (user.src in '<STRONG>Group in the Group(s) field</STRONG>')</P></BODY></HTML> Tue, 09 Jul 2013 23:28:58 GMT https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4091#M3030 UhMayYeah 2013-07-09T23:28:58Z https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4092#M3031 <HTML><HEAD></HEAD><BODY><P>Thanks.We did that.</P><P>Still reports come empty for gorups.</P></BODY></HTML> Wed, 10 Jul 2013 00:03:03 GMT https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4092#M3031 Retired Member 2013-07-10T00:03:03Z https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4093#M3032 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Is PAN firewall retrieving the user-group information properly?</P><P></P><P>&gt;show user group name &lt;group name&gt;&nbsp; //this should list all the group members of the group</P><P>&gt;show user user-IDs match user &lt;username&gt; //shows the groups a user is a part of.</P><P></P><P>If the firewall is able to identify the users in the group and see traffic logs for these users, it should match the query for the report.</P><P></P><P>Thanks,</P><P>Aditi</P></BODY></HTML> Wed, 10 Jul 2013 03:23:50 GMT https://live.paloaltonetworks.com/t5/general-topics/reports-based-on-groups/m-p/4093#M3032 apasupulati 2013-07-10T03:23:50Z