https://live.paloaltonetworks.com/t5/general-topics/user-id-inconsistancies/m-p/154231#M50845 <P>Hello,</P><P>&nbsp;</P><P>It's not the first time that I am facing this kind of issue :</P><P>&nbsp;</P><P>Context : PaloAlto FW with (multiple) userID agents in a single (or multiple) Microsoft domain and user id based security policies.</P><P>&nbsp;</P><P>The User ID feature seems at a glance to be working well, however sometimes UserID seems to "loose focus" on several source IP addresses (users).</P><P>&nbsp;</P><P>For example, at instant t : IP x.x.x.x is identified with user A. Suddently, at instant t + delta t (random) : IP x.x.x.x is no more identified (no more source user). Again after delta t (random) : IP x.x.x.x is identified with the same (or sometimes another) user A</P><P>&nbsp;</P><P>You can see an occurence in the extracted logs below.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="logs.JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/8976iE8E6965F33335953/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="logs.JPG" alt="logs.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;We can see IP 10.35.111.103 is identified with source user domain\johnd, then suddently the IP has no more user during around 30 minutes (and appropriate rule is obviously no more matched). And then the IP is associated back with the correct user.</P><P>&nbsp;</P><P>I have seen this behaviour many times with a end customer impact range from "no matter, that seems to be working fine" to "it doesn't work! fix it!", obviously depending of the security policies configuration.</P><P>&nbsp;</P><P>In this particular example, we are running PanOS 7.1.7 on PA-5050 cluster, with UserID agents release 7.0.4.5</P><P>&nbsp;</P><P>Have you ever been facing such issue ?</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>Laurent</P> Wed, 26 Apr 2017 14:03:54 GMT Laurent_Dormond 2017-04-26T14:03:54Z https://live.paloaltonetworks.com/t5/general-topics/user-id-inconsistancies/m-p/154231#M50845 <P>Hello,</P><P>&nbsp;</P><P>It's not the first time that I am facing this kind of issue :</P><P>&nbsp;</P><P>Context : PaloAlto FW with (multiple) userID agents in a single (or multiple) Microsoft domain and user id based security policies.</P><P>&nbsp;</P><P>The User ID feature seems at a glance to be working well, however sometimes UserID seems to "loose focus" on several source IP addresses (users).</P><P>&nbsp;</P><P>For example, at instant t : IP x.x.x.x is identified with user A. Suddently, at instant t + delta t (random) : IP x.x.x.x is no more identified (no more source user). Again after delta t (random) : IP x.x.x.x is identified with the same (or sometimes another) user A</P><P>&nbsp;</P><P>You can see an occurence in the extracted logs below.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="logs.JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/8976iE8E6965F33335953/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="logs.JPG" alt="logs.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;We can see IP 10.35.111.103 is identified with source user domain\johnd, then suddently the IP has no more user during around 30 minutes (and appropriate rule is obviously no more matched). And then the IP is associated back with the correct user.</P><P>&nbsp;</P><P>I have seen this behaviour many times with a end customer impact range from "no matter, that seems to be working fine" to "it doesn't work! fix it!", obviously depending of the security policies configuration.</P><P>&nbsp;</P><P>In this particular example, we are running PanOS 7.1.7 on PA-5050 cluster, with UserID agents release 7.0.4.5</P><P>&nbsp;</P><P>Have you ever been facing such issue ?</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>Laurent</P> Wed, 26 Apr 2017 14:03:54 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-inconsistancies/m-p/154231#M50845 Laurent_Dormond 2017-04-26T14:03:54Z https://live.paloaltonetworks.com/t5/general-topics/user-id-inconsistancies/m-p/154256#M50852 <P>Hi Laurent,</P><P>&nbsp;</P><P>How is the end user fixing it? I'm thinking the issue could be a possible timeout issue on the user mapping, so if the end user has to re-authenticate then that would fix it.</P><P>&nbsp;</P><P>You could try increasing the timeout value to keep the users logged in and/or enabling server session read. Additionally you could also try enabling WMI probes but be careful with these as a failed probe will remove the user mapping, you need to make sure client computers are set to respond ok to these.</P><P>&nbsp;</P><P>The best user-id method is to have GlobalProtect set up for internal host detection and internal gateways.</P><P>&nbsp;</P><P>hope this helps,</P><P>Ben</P> Wed, 26 Apr 2017 16:16:22 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-inconsistancies/m-p/154256#M50852 bmorris1 2017-04-26T16:16:22Z https://live.paloaltonetworks.com/t5/general-topics/user-id-inconsistancies/m-p/154360#M50869 <P>Hi Ben,</P><P>&nbsp;</P><P>Many thanks for your help and advices.</P><P>&nbsp;</P><P>We are not using WMI probing, because as you underlined it there is some configuration to perform on the endpoints. Assuming that we have more than 5000 hosts on a "not that powerfull network" also we won't risk any network performance impact.</P><P>&nbsp;</P><P>We neither want to deploy Global Protect because we don't want to add more components on the endpoint side (Furthermore we already have another VPN solution with its own components).</P><P>&nbsp;</P><P>I will try to increase the auth cache timeout to a bigger value and I hope it will fix it, keeping in mind the drawback that a "loged out" user will still be identified by the userID if the endpoint still performs network traffic.</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>Laurent</P> Thu, 27 Apr 2017 08:03:10 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-inconsistancies/m-p/154360#M50869 Laurent_Dormond 2017-04-27T08:03:10Z https://live.paloaltonetworks.com/t5/general-topics/user-id-inconsistancies/m-p/154371#M50872 <P>FWIW, in my experience, WMI probing has more issues than just making sure the endpoint can reply. I've actually had multiple PA TAC engineers/SE tell me not to use it at all. basically what I noticed early on was that the logs were filled with reports of WMI queue being full so it was no longer queing, which effectively makes it futile.</P><P>&nbsp;</P> Thu, 27 Apr 2017 09:39:39 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-inconsistancies/m-p/154371#M50872 bradk14 2017-04-27T09:39:39Z https://live.paloaltonetworks.com/t5/general-topics/user-id-inconsistancies/m-p/154597#M50916 <P>Hello,</P><P>I would have to agree on not using WMI if you can help it. Its very chartty and all data is sent in clear text so anyone can potentially sniff it. I do agree that increasing the timeout is probably your best bet as I have sen similar behaviour in the past and increaseing the timeout help out. In one case I had to disable the timeout all together because of dropped usernames. Makes it a bit difficult when writing rules around users/ad groups, etc.</P><P>&nbsp;</P><P>Cheers!</P> Fri, 28 Apr 2017 20:39:17 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-inconsistancies/m-p/154597#M50916 OtakarKlier 2017-04-28T20:39:17Z https://live.paloaltonetworks.com/t5/general-topics/user-id-inconsistancies/m-p/155138#M51034 <P>Hello,</P><P>&nbsp;</P><P>Many thanks for you follow-up and advices.</P><P>&nbsp;</P><P>I just made a Change Request to increase the timeout cache value from default 45 min to 120 min.</P><P>&nbsp;</P><P>I will see in a few days whether this has fixed my issue.</P><P>&nbsp;</P><P>Regards</P> Thu, 04 May 2017 14:32:25 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-inconsistancies/m-p/155138#M51034 Laurent_Dormond 2017-05-04T14:32:25Z