topic Re: Agentless USER-ID - rules in General Topics

Agentless USER-ID - rules

burtond — Thu, 14 Jan 2016 14:43:57 GMT

Good Day

I'm testing user-id in policy-rules and its not working the way I thought it would.

Example Rule

src zone/ip - Zone A/any

dst zone/ip - Zone B/any

user - gdc\test.user

application - any

service - application-default

action - allow

I start a ping to a server/workstation from Zone A to Zone B and I get request timeout, but if I remove the user the ping works.

This is not how I thought it would work, I thought if I'm pinging from a workstation logged in as test.user that in the rule if I added the user it would ping throw, but it isn't.

Can you tell me why this is happening?

Dana

Re: Agentless USER-ID - rules

Brandon_Wertz — Thu, 14 Jan 2016 15:01:09 GMT

have you validated that the firewall has a mapping of the IP to User?

Do you see a deny log showing the ICMP request with the source user the traffic is being generated from?

Re: Agentless USER-ID - rules

burtond — Thu, 14 Jan 2016 15:04:31 GMT

Yes it connects to the AD brings back the userid mappings, and yes it is dropping the ICMP ping, but as I mentioned if I delete the user the ping works.

Re: Agentless USER-ID - rules

OtakarKlier — Thu, 14 Jan 2016 17:00:57 GMT

Hello,

When you are lookigng at the logs, Click the maginifying glass on the far left and see if its picking up the username.

Regards,

Re: Agentless USER-ID - rules

Brandon_Wertz — Thu, 14 Jan 2016 17:13:53 GMT

When you say "it brings back the user id mappings." Does it actually provide the IP to User ID mapping for the source user in question?

In the deny log, does the denied ICMP request show the source user ID that you're expecting?

You should see something like this:

ME@FIREWALLNAME(active)> show user ip-user-mapping(mp) ip (USER IP 1.1.11)

IP address: (USER IP 1.1.1.1) (vsys1)
User: (USER ID)
From: UIA
Idle Timeout: 3371s
Max. TTL: 3371s
Groups that the user belongs to (used in policy)

Re: Agentless USER-ID - rules

burtond — Fri, 15 Jan 2016 16:18:19 GMT

Yes I get the correct user mapping. The rule is jump and go to the deny all rule a the bottom of the rules set... which is wierd, but if I set the User tab to "known-user" it works..... but not if I choose select and put in the group.

Re: Agentless USER-ID - rules

Brandon_Wertz — Fri, 15 Jan 2016 16:28:37 GMT

@burtond some screen shots might be helpful for us...Rule/Logs

Also if you're using a "group" in the rule do you have that group in the "Group Mapping?" In the user identifcation in the "Group Include List?"

Re: Agentless USER-ID - rules

burtond — Fri, 15 Jan 2016 16:35:27 GMT

Yes, I've even removed the User Identification setting commited and configured it again and still the same issue

Re: Agentless USER-ID - rules

burtond — Fri, 15 Jan 2016 19:58:09 GMT

Networking

Groups

User Mappings

User

All the groups

Group Domain Users

Rule that works

Ping to Zone B

Ping Allowed

Rule that doesn't work

Ping to Zone B 2

Ping dropped

Re: Agentless USER-ID - rules

reaper — Mon, 18 Jan 2016 07:50:52 GMT

In your group mapping, the users are mapped as 'zonea.ca\user' while in the user mapping, the user is 'zonea\user'

This means the mapping information from the group is set to the FQDN while the uidagent collects the netbios domain

this causes a mismatch when your security policy is set to a group

you can resolve this issue by setting the group mapping user domain to the netbios version:

once this is committed, refresh your group mapping

> debug user-id reset group-mapping all
> debug user-id refresh group-mapping all

afterward your users should start showing up in the group listing as zonea\user1 zonea\user2 etc

hope this helps

Tom

Re: Agentless USER-ID - rules

burtond — Mon, 18 Jan 2016 12:52:22 GMT

I'm running PAN-VM version 6.17 so the Group Mapping - Server Profile tab looks like this

Re: Agentless USER-ID - rules

burtond — Mon, 18 Jan 2016 12:55:55 GMT

I found it, it is under the Server Profile - LDAP, thanks

Re: Agentless USER-ID - rules

burtond — Mon, 18 Jan 2016 13:04:26 GMT

Thanks Reaper, worked like a charm....very cool