topic Re: iSSUE Enabled UsedID agentless in Palo Alto in General Topics

iSSUE Enabled UsedID agentless in Palo Alto

searching1 — Tue, 25 Jul 2017 12:51:58 GMT

Hi Team,

We configured and using UsedID on our policy. 1 issue i've encountered is sometime PA can't resolve the UserID assigned for specific address. This happens only selective user and other user are fine.

Question are:

1. What would be the issue when PA can't resolve or just show unknown userid on logs?

2. How to trouble and verify whether it's on workstation, FW or AD Server isssue?

3. How to resolve this issue?

Thanks

Re: iSSUE Enabled UsedID agentless in Palo Alto

TranceforLife — Tue, 25 Jul 2017 13:14:39 GMT

Hi.

This might help:

https://live.paloaltonetworks.com/t5/Management-Articles/Troubleshooting-User-ID-Group-and-User-to-IP-Mapping/ta-p/59072

Please check the document attached to the article

Re: iSSUE Enabled UsedID agentless in Palo Alto

ansharma — Tue, 25 Jul 2017 21:24:57 GMT

Hey!

1. Run this command on the CMD of that machine - echo %logonserver%

2. Check if you have that DC added in the Server monitoring section.

3. If it's not there, add it. Issue resolved.

4. If it's there, check if there is an event log generated for that user's login.

5. Check useridd.log - less mp-log useridd.log

HTH,

Anurag

Re: iSSUE Enabled UsedID agentless in Palo Alto

searching1 — Wed, 26 Jul 2017 13:02:02 GMT

Thank you all for your comments.

But I would like to ask the process/query from workstation to FW and to AD?
This stages correct?
1. Workstation will generate userid to FW.
2. FW will check the policy based on UserID.
3. Then FW will query the AD then via LDAP to verify user acct.
4. if the reply from AD is confirmed, FW now will process the user request.

Thank you

Re: iSSUE Enabled UsedID agentless in Palo Alto

TranceforLife — Wed, 26 Jul 2017 13:50:41 GMT

Hi,

1. Workstation will generate userid to FW - Workstation will generate even/log entry on AD.
2. FW will check the policy based on UserID - Yes, as well as other matching criteria.
3. Then FW will query the AD then via LDAP to verify user acct - Only for Group Mapping (agent will read LDAP tree), users logs are delivered by user-id agent (User Groups <-------> User ID <-------> IP address)
4. if the reply from AD is confirmed, FW now will process the user request - No, no direct connection/query for a particular user with AD. All based on even/security logs where user id agent has an account on AD server with the minimum permittion to read these logs.

Re: iSSUE Enabled UsedID agentless in Palo Alto

searching1 — Wed, 26 Jul 2017 14:21:25 GMT

Hi @TranceforLife,

Thank you for sharing. In addition we are using agentless rightnow

Just want to clarify

3. Only for Group Mapping (agent will read LDAP tree), users logs are delivered by user-id agent (User Groups <-------> User ID <-------> IP address).

- So this is only for w/ agent setup? How about agentlless setup? So Once the FW and AD has been setup via LDAP no more query will happen?

4. No, no direct connection/query for a particular user with AD. All based on even/security logs where user id agent has an account on AD server with the minimum permittion to read these logs.

- So you mean Agentless or with agent doest query the AD anymore? All based on security logs (Generated on workstation?)

sorry 3 & 4 part is not clear to me. apologize

Re: iSSUE Enabled UsedID agentless in Palo Alto

TranceforLife — Wed, 26 Jul 2017 14:29:04 GMT

3) LDAP, in our case , is needed for Group Mapping query, user id info still delivered by the agents (FW or SW agent).

4) User id agents (both FW and/or SW agent) talking to AD and then deliver security logs/events to FW.

This is how l understood. Other advanced users can also comment and correct me if i am wrong.

Re: iSSUE Enabled UsedID agentless in Palo Alto

searching1 — Wed, 26 Jul 2017 14:32:26 GMT

Thank you bro, Nice diagram, may i know where did you get that. bec. looking for docs regarding user ID process agentless/w/agent? cant find any good docs. always configuration.

Re: iSSUE Enabled UsedID agentless in Palo Alto

TranceforLife — Wed, 26 Jul 2017 14:38:37 GMT

Say thanks to@acc6d0b3610eec313831f7900fdbd235,

He did a very good job in providing some nice free resources. Get registered at a learning centre and look for :

Firewall Installation, Configuration, and Management: Essentials 1 (101) PAN-OS 7.0 Rev. B

Firewall 8.0 Essentials: Configuration and Management (EDU-110)

https://live.paloaltonetworks.com/t5/General-Topics/Palo-Alto-Networks-Training-Resources-Available/m-p/76106

p.s Snip was from one of the video training lessons