https://live.paloaltonetworks.com/t5/general-topics/user-id-service-client-ip-population/m-p/216695#M62744 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a></P><P><BR />Thanks for the reply on this.&nbsp; So i started completley from scratch on my configuration in attempts to more easily troubleshoot.&nbsp; Without any networks in the include list, I get no IP addresses in the Monitoring Tab under discovered users.&nbsp; When I add an office IP range to the Discovery, i start seeing logs such as these.&nbsp;&nbsp;</P><P>&nbsp;</P><P>IP x.x.x.x is not in the include list</P><P><SPAN>IP x.x.x.x is not in the include list</SPAN></P><P><SPAN>IP x.x.x.x is not in the include list</SPAN></P><P><SPAN>IP x.x.x.x is not in the include list</SPAN></P><P><SPAN>IP x.x.x.x is not in the include list</SPAN></P><P><SPAN>IP x.x.x.x is not in the include list</SPAN></P><P>&nbsp;</P><P><SPAN>When I add one of these networks which I know has users on it, the error in debug goes away, but the Monitor still shows 0 IPs.</SPAN></P><P>&nbsp;</P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/15383i36AA7A8CE69DD489/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="image.png" alt="image.png" /></span></SPAN></P><P>&nbsp;</P><P><SPAN>It's almost like it is seeing the IP's from the domain controllers as it writes them in the log, but then is not saving them.&nbsp; This is why I was asking about normal operation with just log reading on as I was thinking perhaps monitoring only was for addresses that were also polled. Completely confused here.</SPAN></P><P>&nbsp;</P><P><SPAN>-Matt</SPAN></P> Tue, 05 Jun 2018 17:13:42 GMT mlinsemier 2018-06-05T17:13:42Z https://live.paloaltonetworks.com/t5/general-topics/user-id-service-client-ip-population/m-p/216586#M62731 <P>All,</P><P>&nbsp;</P><P>When we first installed our User-ID Agent service on Windows Server 4-5 years ago we implemented Security Log Reading (from domain controllers logs), AD Session Scanning, and MWI polling.&nbsp; About 5-6 days ago we started running into issues (which we have yet to determine what is causing it), where polling seems to be openeing up multiple connections at a time causing our WAN optimizer to start trying to optimize 10x connections than normal.&nbsp; After delving into the latest best practices, it seems that Session Scanning and MWI polling are no longer recommended, and just reading the AD logs and Syslogs are the best way to go.</P><P>&nbsp;</P><P>Question:&nbsp; If I just enable reading the windows logs from the domain controllers, should it be populating the User-ID agent with IP addresses of users?&nbsp; When I turn off session scanning and WMI probing, the IP list is empty.&nbsp; As I've always used all three options, I'm not sure if what is "normal" and I can't find any supporting documentation that explains one way or the other.</P><P>&nbsp;</P><P>Sincerely,</P><P>&nbsp;</P><P>-Matt</P> Tue, 05 Jun 2018 01:25:01 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-service-client-ip-population/m-p/216586#M62731 mlinsemier 2018-06-05T01:25:01Z https://live.paloaltonetworks.com/t5/general-topics/user-id-service-client-ip-population/m-p/216612#M62732 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7143">@mlinsemier</a></P> <P>&nbsp;</P> <P>yes, log reading is the main way to populate user-ip mappings</P> <P>&nbsp;</P> <P>Logs contain a username + ip which are learned when a user logs on</P> <P>&nbsp;</P> <P>WMI probes are used on 'known' ip-user maps to verify if the user is still logged on, or, for 'unknown' ips to probe if a user can be learned (this happens when the firewall gets a connection from an unmapped IP in the user-id enabled zones, it will request the user-id agent for informnation on the IP and if the agent does not already have a mapping it will try a probe)</P> <P>&nbsp;</P> <P>'server session reads' are used to detect users with mapped network drives (whenever the drive is touched, the user source + credentials can be refreshed/learned)</P> <P>&nbsp;</P> <P>so, since your WAN optimizer went into overdrive, and after disabling probing your ip's aren't populating, your log reading may have gotten disabled somehow, causing you to start probing every single IP rather than learning ip's from the log and only periodically probing</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 05 Jun 2018 08:00:10 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-service-client-ip-population/m-p/216612#M62732 reaper 2018-06-05T08:00:10Z https://live.paloaltonetworks.com/t5/general-topics/user-id-service-client-ip-population/m-p/216695#M62744 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a></P><P><BR />Thanks for the reply on this.&nbsp; So i started completley from scratch on my configuration in attempts to more easily troubleshoot.&nbsp; Without any networks in the include list, I get no IP addresses in the Monitoring Tab under discovered users.&nbsp; When I add an office IP range to the Discovery, i start seeing logs such as these.&nbsp;&nbsp;</P><P>&nbsp;</P><P>IP x.x.x.x is not in the include list</P><P><SPAN>IP x.x.x.x is not in the include list</SPAN></P><P><SPAN>IP x.x.x.x is not in the include list</SPAN></P><P><SPAN>IP x.x.x.x is not in the include list</SPAN></P><P><SPAN>IP x.x.x.x is not in the include list</SPAN></P><P><SPAN>IP x.x.x.x is not in the include list</SPAN></P><P>&nbsp;</P><P><SPAN>When I add one of these networks which I know has users on it, the error in debug goes away, but the Monitor still shows 0 IPs.</SPAN></P><P>&nbsp;</P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/15383i36AA7A8CE69DD489/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="image.png" alt="image.png" /></span></SPAN></P><P>&nbsp;</P><P><SPAN>It's almost like it is seeing the IP's from the domain controllers as it writes them in the log, but then is not saving them.&nbsp; This is why I was asking about normal operation with just log reading on as I was thinking perhaps monitoring only was for addresses that were also polled. Completely confused here.</SPAN></P><P>&nbsp;</P><P><SPAN>-Matt</SPAN></P> Tue, 05 Jun 2018 17:13:42 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-service-client-ip-population/m-p/216695#M62744 mlinsemier 2018-06-05T17:13:42Z https://live.paloaltonetworks.com/t5/general-topics/user-id-service-client-ip-population/m-p/216711#M62750 The IPs under the x.x.x.x, are they in your expected subnet? It could be that the firewall is polling your agent for "unknown" IPs and that's whats causing these logs (without filter you should get _all_ ips from log)<BR /><BR />Just as a sanity check, can you go through the windows event viewer to see if you can find any EventID 4768 (Authentication Ticket Granted), 4769 (Service Ticket Granted), 4770 (Ticket Granted Renewed), or 4624 (Logon Success) logs?<BR /> Tue, 05 Jun 2018 18:18:39 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-service-client-ip-population/m-p/216711#M62750 reaper 2018-06-05T18:18:39Z https://live.paloaltonetworks.com/t5/general-topics/user-id-service-client-ip-population/m-p/216713#M62751 <P>Okay, that makes sense because I paired down the "Allowed IPs" that the remote Palo Alto's are looking for IP to User Mappings.</P><P>&nbsp;</P><P>For the audit events, are you speaking of the Event Viewer on the domain controller itself?</P> Tue, 05 Jun 2018 18:44:25 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-service-client-ip-population/m-p/216713#M62751 mlinsemier 2018-06-05T18:44:25Z https://live.paloaltonetworks.com/t5/general-topics/user-id-service-client-ip-population/m-p/216714#M62752 Yes, the server that the userID agent is polling should have at least one of these events in the eventviewer<BR />If they dont show up, you'll want to go into your local security policy and enable auditing for "logon success" Tue, 05 Jun 2018 18:51:45 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-service-client-ip-population/m-p/216714#M62752 reaper 2018-06-05T18:51:45Z