topic Re: Monitoring - source user not shown in log in General Topics

Monitoring - source user not shown in log

robert_smith — Mon, 02 Apr 2012 16:39:28 GMT

Although the "agentID client" is installed on one of our domain controller boxes, I find that when using MONITOR log to look at the traffic, it doesn't show the "source user" of whom is currently logged in via Active Directory. Any idea why?

In addition, the monitor log will show the ip address and it will "resolve hostname" when checking the box.

Any help would be appreciated.

Rob

Re: Monitoring - source user not shown in log

jseals — Mon, 02 Apr 2012 18:03:23 GMT

Hi Robert,

Has this ever worked before, or is this a new installation?

Also, what version of the user-id agent and PAN OS Software are you running?

A few things you can do is check to see if the firewall has any correct mappings by running:

> show user ip-user-mapping all

If they are showing as unknown, then you need to open the agent installed on your DC and look to see if it's getting the correct mappings.

Thanks,

Jason Seals

Re: Monitoring - source user not shown in log

robert_smith — Mon, 02 Apr 2012 19:32:11 GMT

Jason,

I ran the command you mentioned and it shows some the following result. I've omitted users domain/user name for privacy concerns.

The vpn 192.168.7.x are vpn globalprotect clients and they do show in the listing. So it seems it only is showing vpn clients at the moment. Does the user-id client agent need to be installed directly on the domain controller as we have it installed on our manage server which is a member server which runs on VMware.

We are running PAN OS Software 4.1.2

The user-id client is running version 4.1.2-2

PA-500> show user ip-user-mapping all

IP              Ident. By User                             Idle Timeout (s) Max. Timeout (s)
--------------- --------- -------------------------------- ---------------- ----------------
192.168.7.xxx GP        (ommitted domain/user)       2468098          2468098
192.168.x.xx   Unknown   unknown                          1                4
192.168.x.x   Unknown   unknown                          1                4
192.168.x.x Unknown   unknown                          2                5
192.168.7.xxx   GP        (ommitted domain/user)             2155146          2155146
192.168.x.x   Unknown   unknown                          2                5
192.168.x.x    Unknown   unknown                          0                3
192.168.x.xx    Unknown   unknown                          2                5
192.168.x.xxx   Unknown   unknown                          2                5
Total: 9 users

Re: Monitoring - source user not shown in log

sjamaluddin — Thu, 05 Apr 2012 18:21:24 GMT

Do you have User ID enabled on the zone from where your internal users are coming in?

Also, do the users authenticate against a DC that is not being monitored by the User ID agent?

It would appear that your users on the GP zone are showing up correctly as that zone has user ID enabled.

If you go to Network>>Zones>> check to see if the users are coming in on a zone that has UserID enabled (box is checked)

Re: Monitoring - source user not shown in log

jseals — Fri, 06 Apr 2012 06:47:15 GMT

Hi Robert,

The agent does not need to be installed directly on the DC. Just a machine that can read the DC's security logs. However, installing it directly on the DC can rule out some communication issues.

As Saba said, it could be your zone not having userID checked. Since the firewall doesn't show the mappings, take a look at the agent and see if it's getting any mappings and is just having issues sending them to the firewall.

Thanks,

Jason Seals

Re: Monitoring - source user not shown in log

jcostello — Wed, 06 Jun 2012 12:00:12 GMT

We are seeing a similar issue on 3.1.2 client connecting to PANOS 4.0.11 (yes we do have an open case)

We've tried reinstalling the agent with out success

We've tried uninstalling the agent, doing a clean up and installing again.

No luck as yet, but we will update when we find a resolution.

Re: Monitoring - source user not shown in log

systemadmin_tu — Tue, 08 Jan 2013 14:40:56 GMT

I have the same problem with PAN OS 4.1.6 and UI agent 4.1.6-5.

Help me..

Re: Monitoring - source user not shown in log

kmurphy6 — Tue, 22 Jan 2013 17:41:38 GMT

same problem here with OS 4.1.9 and agent 4.1.4-3...intermittently empty source user field in traffic logs for the same source IP