topic Re: wrong user-id mapping in General Topics

wrong user-id mapping

ppk_vs — Thu, 10 Aug 2017 10:39:40 GMT

Hello everybody,

We have a problem with a user to IP mapping. Doesn't matter which version of PanOS - 7 or 8, doesn't matter if it's using windows agent or direct access from paloalto to LDAP servers.

Let's say a user is going to some server, windows exchange for example, and this server authenticates the user by LDAP. Then windows agent will have exchange's IP address mapped to the user name.

For now, I have resolved this problem by excluding servers subnets in windows agent configuration. But not sure, may be there is a better way.

Regards,

Vladimir.

Re: wrong user-id mapping

BPry — Thu, 10 Aug 2017 13:46:40 GMT

@ppk_vs,

I'm not really seeing the issue. The way that user-id works is the user that is logged into the server, or the last to log in within the age-out, is the user mapped to that IP. So if you have someone log into your exchange server traffic do something really quick and then log out, they'll maintain the user-id mapping until another account logs a security event or the User ID timeout has been hit (if enabled).

If you don't want this action to take place then you would do exactly as you describe here, you exlude the IPs from user identification.

Re: wrong user-id mapping

ppk_vs — Thu, 10 Aug 2017 14:52:14 GMT

Hi,

may be I didn't explain the problem clear.

So, for example, the user logged in to the PC - after that paloalto had the correct IP address. After that user opened any site in web browser, that used LDAP authentication. Then paloalto has IP address of the server, where that site was hosted, as an IP address mapped to the user. So if security rule allows access by user-id, it will not match IP address of the user's PC.

Re: wrong user-id mapping

Kolby_Baker — Mon, 08 Mar 2021 19:23:42 GMT

Hello,

Did you ever find a solution to your problem? I am having the same issue. what did you end up doing to to get the ip user mapping to the user's machine and not the authentication server?

Re: wrong user-id mapping

ppk_vs — Tue, 18 Jan 2022 12:19:35 GMT

Sorry, I have just seen the answer. So, I normally just use user-id exclusion lists for such server for which I don't want to use a user-id from the one side and where can some authentication event happen.