topic User-ID Agentless question in General Topics

User-ID Agentless question

clyde.franklin — Fri, 06 May 2016 14:02:59 GMT

Is there a reason why with Agentless User-ID I still never see any logs in Monitor? As shown below it definitaely is working but traffice logs do not sohw user-ids. I have a any any policy and user-id box is checked on the zones. ANy ideas? I ahve agent on a 2012 server I do see in logs ia se failed to connecr to LDAP but def its working from output

dmin@PALO-TIA-03P vsys4(active-primary)> show user ip-user-mapping-mp all

IP Vsys From User Timeout (sec)
--------------- ------ ------- -------------------------------- ----------------
10.64.21.84 vsys4 UIA ad\rivea 880
10.1.97.119 vsys4 UIA ad\miche 611
10.64.19.66 vsys4 UIA ad\mclaugm 1215
10.64.42.65 vsys4 UIA ad\treeced 265
10.64.42.104 vsys4 UIA ad\kopitsc 1045
10.148.2.216 vsys4 UIA ad\mumphre 652
10.84.2.50 vsys4 UIA ad\bursono 981
10.64.46.156 vsys4 UIA ad\xueli 977

Re: User-ID Agentless question

pankaku — Sat, 07 May 2016 12:56:19 GMT

Run the command "show session all filter source <ip>" it will show session id now run the command "show session id <id>" now check if there is user name in the output or not. Might be you are not logging the traffic.

Filter the logs with the help of ip address and check if you have logs or not. Try removing the servers and do a commit and then add the server and do a commit and check if that helps or not.

Re: User-ID Agentless question

santonic — Mon, 09 May 2016 07:33:52 GMT

Did you enable User-ID on apropriate security zone(s)?

Re: User-ID Agentless question

JDominguez — Tue, 10 May 2016 15:21:30 GMT

Ensure that the Monitor tab has the "Source User" column. Additionally I found that restarting the userID deamon helped me with a few problems:

> debug software restart process user-id core yes

Restarting the management plane helped me as well (this will not affect normal traffic):

> debug software restart process management-server

You can also follow the user-id log for more info.

> tail follow yes mp-log useridd.log

Re: User-ID Agentless question

reaper — Tue, 10 May 2016 17:40:45 GMT

only use the "core yes" toggle if instructed to do so by TAC as this will create a core file

the core file can be used by support if they need to investigate an issue with a process, but generating a core when not needed will take up unnecessary disk space
core files are not automatically pruned to conserve debug data in case a process were to crash, this also means if there have been enough unsolicited core files created, there may not be enough space if an actual core were to happen

you can clear out old core files with the command > delete core-file

Re: User-ID Agentl question

clyde.franklin — Thu, 12 May 2016 13:15:22 GMT

Tried all these recommnedations and the User- Agent Monitor tab still I show only2 IPs which is the IP of the firewall and the IP of my actual PC. I still never see any user that are showing logged under cli comning in on the agent. I have pretty much read evey article that esist on PA and User -ID set to no avail. So Im going presume that my issue is maybe log rellated on server itself. Apprently Im suppose to see below type responses from Agent logs which I never do.

4768 (Authentication Ticket Granted)
4769 (Service Ticket Granted)
4770 (Ticket Granted Renewed)
4624 (Logon Success)

Re: User-ID Agentl question

reaper — Thu, 12 May 2016 13:18:50 GMT

Hi Clyde

if you open the Windows event viewer, do these event ID's ever show up?

you may need to enable success auditing in the domain security settings:

Re: User-ID Agentless question

clyde.franklin — Thu, 12 May 2016 13:25:24 GMT

For screenshot below I do have the first option shows as "Success" but the other options do not ubder Audit features. Do I need on some of the the other options as well like audit lohon events?