topic Re: Palo stops identifying users in traffic logs in General Topics

Palo stops identifying users in traffic logs

soporteseguridad — Wed, 11 Oct 2017 12:57:25 GMT

Hi,

we realized that Palo Alto suddenly stops identifying users. We can see an example in this traffic logs.

In this screenshot, we see how the user is being identified but there are connectiosn where its not appearing.

sometime running show user ip-user-mapping all, we can not see the user associated to the correct ip.

What could it cause this problem? tshoot advice??

thanks a lot

Re: Palo stops identifying users in traffic logs

reaper — Wed, 11 Oct 2017 13:50:16 GMT

how is your timeout configured on UserID?

your mappings may be timing out causing the gaps in the log, could you share your configuration?

Re: Palo stops identifying users in traffic logs

Mick_Ball — Wed, 11 Oct 2017 14:56:08 GMT

FYI.

for similar reasons we have set ours to the following.

User Identification Timeout (min) 1440

so... 24 hours and seems to be OK.

Re: Palo stops identifying users in traffic logs

BPry — Thu, 12 Oct 2017 19:35:18 GMT

@soporteseguridad,

I wouldn't set age_out to 1440, nobody is working for 24 hours. Set the age_out time to match a users average day; so if you work from 7-5 on average then make the timeout 600 or 630 to give a little wiggle room.

Re: Palo stops identifying users in traffic logs

OtakarKlier — Fri, 13 Oct 2017 19:41:02 GMT

Hello,

Which user-id option are you using to detect the users? Agent, agentless, or wmi? I have a current case open for the User-id agents stop pulling in user data after a while and also currently the Angentless is not ablet o connect to some of my servers, another case. While its not affecting me much at the moment, it is a pain point. I'll update the case if I find out anything.

PANOS 8.0.3 (we are upgrading to 8.0.5 to see if it helps since there seem to be a lot of fixes for the User-id agent.

Agent versions: 8.0.4-5

Regards,

Re: Palo stops identifying users in traffic logs

Mick_Ball — Sat, 14 Oct 2017 09:10:17 GMT

@OtakarKlier

I'm using agents, collecting from 12 DC's. Never had an issue until updated to V8.

Agents failed to connect on occasions and when they were collecting we had a strange issue where the current policies were not allowing traffic thriugh for specific groups or users. It was a live system so had to roll back to V7 immediately. Never got chance to diagnose so please update with your findings.

Re: Palo stops identifying users in traffic logs

OtakarKlier — Mon, 16 Oct 2017 17:01:23 GMT

Hello @Mick_Ball,

I have also seen this with my smaller deployment. We went ahead and also implemented the Agentless User-ip as as top gap since TAC was not able to find a resolution. I also made sure that I had autodiscover enabled so that it would pick up on Exchange activity. So far it is working, but some of my PAN's lose connectivity to some of my DC's, seems random but I do have a TAC case open.

Sorry I dont have a solution at the moment. Also 8.0.5 has the same issues :(.

I'll update when I have more information.

Re: Palo stops identifying users in traffic logs

soporteseguridad — Thu, 19 Oct 2017 07:20:57 GMT

I increased the userid timeout in cache (700minutes), now it working fine.