https://live.paloaltonetworks.com/t5/general-topics/how-does-the-firewall-work-when-they-received-unknown-user-s/m-p/5684#M4163 <HTML><HEAD></HEAD><BODY><P>Thanks, rmonvon, It works. But it took more time (about 10 sec) than I've expected. :smileygrin:</P><P>Anyway It was very useful , Thanks Again. </P></BODY></HTML> Mon, 04 Feb 2013 06:14:05 GMT JTR 2013-02-04T06:14:05Z https://live.paloaltonetworks.com/t5/general-topics/how-does-the-firewall-work-when-they-received-unknown-user-s/m-p/5682#M4161 <HTML><HEAD></HEAD><BODY><P>Hello, Guys. Nice to meet you.</P><P>I'm testing User-ID in PAN OS 4.1 and USER Agent 4.1.</P><P>There's something curious situation during my lab test.</P><P>I've deleted all ip-user-mapping information with 'clear user-cache all'.</P><P>So all users is unknown to firewall.</P><P></P><P><IMG alt="1.jpg" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5485_1.jpg" width="450" /></P><P></P><P>But the user agent still has ip-user mapping information using WMI probing.</P><P><IMG alt="2.jpg" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5507_2.jpg" width="450" /></P><P></P><P></P><P></P><P>In this case, I think the firewall should ask USER Agent&nbsp; to get ip-user mapping information for the unknown user.</P><P>But the firewall can't get any information from the USER Agent, and the user still remains unknown.</P><P></P><P><IMG alt="3.jpg" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5508_3.jpg" width="450" /></P><P>and 'num of request of ip mapping msgs sent' doesn't increase.. only 'num of states msgs rcvd' and 'num of request of status msgs sent'</P><P>are increasing..</P><P></P><P>Does any one know why does firewall work like this ?</P><P></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Thanks.</SPAN></P></BODY></HTML> Fri, 01 Feb 2013 10:12:53 GMT https://live.paloaltonetworks.com/t5/general-topics/how-does-the-firewall-work-when-they-received-unknown-user-s/m-p/5682#M4161 JTR 2013-02-01T10:12:53Z https://live.paloaltonetworks.com/t5/general-topics/how-does-the-firewall-work-when-they-received-unknown-user-s/m-p/5683#M4162 <HTML><HEAD></HEAD><BODY><P>Hi...For unknown users and new connections, the PA would query the userID agent to see if there is a ip-user mapping.&nbsp; Because you manually clear the user-cache and there may be existing sessions, the cache may be populated as unknown.</P><P></P><P>I suggest you clear user-cache and also clear the session(s) via 'clear session all'.&nbsp; Then generate new connection from that user IP to test.&nbsp; Thanks. </P></BODY></HTML> Fri, 01 Feb 2013 18:46:55 GMT https://live.paloaltonetworks.com/t5/general-topics/how-does-the-firewall-work-when-they-received-unknown-user-s/m-p/5683#M4162 rmonvon 2013-02-01T18:46:55Z https://live.paloaltonetworks.com/t5/general-topics/how-does-the-firewall-work-when-they-received-unknown-user-s/m-p/5684#M4163 <HTML><HEAD></HEAD><BODY><P>Thanks, rmonvon, It works. But it took more time (about 10 sec) than I've expected. :smileygrin:</P><P>Anyway It was very useful , Thanks Again. </P></BODY></HTML> Mon, 04 Feb 2013 06:14:05 GMT https://live.paloaltonetworks.com/t5/general-topics/how-does-the-firewall-work-when-they-received-unknown-user-s/m-p/5684#M4163 JTR 2013-02-04T06:14:05Z