topic Re: User-ID agent issue in General Topics

User-ID

Shadow — Wed, 12 Jun 2019 09:13:56 GMT

Hello all,

currently, we are facing with a strange issue related to user agent. Scenario is that, once the user login to his/her laptop then tries to surf, e/she will get dropped by the firewall. After further investigation, we found that the time the firewall takes to identify the user agent causing the issue.

in other words, user logs in to the laptop try to surf to the internet drops, then about 5-10min later user is now identified. also, our usage to use the internet via the firewall has increase a lot.

so, my question would be, how can we delay the process to identify the user by the firewall, are there any tweaks where we could make some changes. At the moment on user-identification the timers are default (45min for cache )

any advaice?

thanks in advance

Lance

Re: User-ID

Shadow — Wed, 12 Jun 2019 09:16:08 GMT

to the above,

OS : 7.1.22

Re: User-ID

OtakarKlier — Wed, 12 Jun 2019 16:22:51 GMT

Hello,

What are the agents looking at to obtain the user-id? Domain controler logs, exchange, etc.?

Please advise,

Re: User-ID

MP18 — Thu, 13 Jun 2019 04:59:40 GMT

Also increase the timer to 4 hours if you are running the user id agent on windows server

Re: User-ID

Shadow — Fri, 14 Jun 2019 13:18:38 GMT

Hi MP18,

thanks for the response. I take this as the timer is on agent itself. cause I have access only to the firewall.

thanks

Lance

Re: User-ID

kiwi — Fri, 14 Jun 2019 14:05:10 GMT

Hi @Shadow ,

Correct.

Timers such as 'Security Log Monitor Frequency' is found on the agent.

Monitor Frequency

Cheers !

-Kiwi

Re: User-ID

Shadow — Fri, 14 Jun 2019 14:58:20 GMT

thank you, I have a TAC case open already. however, until this resolved they require some kind of workaround. this sounds good

Re: User-ID agent issue

Shadow — Thu, 20 Jun 2019 10:21:30 GMT

the issue was too many user mapping been used, max is 100 which could be handled by the firewall and currently 4xx been used.

article : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRzCAK

credit to : Birk Hageloh (PA TAC)

hope this would help someone in the feature

Re: User-ID agent issue

kiwi — Thu, 20 Jun 2019 11:27:52 GMT

Hi @Shadow ,

Great news that it's fixed now !

Max 100 user mappings ? I believe the smallest platform can handle 64000 mappings ?

Or did you mean a maximum of 100 user-ID-agents ? As explained here :

configure-access-to-user-id-agents

Are you sure about that link that you added ? It's about PBF 🙂

Can you clarify ?

Cheers !

-Kiwi.

Re: User-ID agent issue

Shadow — Thu, 20 Jun 2019 13:32:00 GMT

Hi Kiwi,

its about : Unknown IP Rate Limit Mitigation for User-ID Mappings, sorry if I have posted the incorrect link:

Link: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cls9CAC

If I havent explained on my initial comment.

user logs in to the AD, tries to access the internet, get dropped by the firewall, then after a while(~10-15min) they can access the internet.

we saw the following in the live logs

pan user id agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101.

when it hits above 100 user get match to the incorrect policy(hence the drop)

once again apologies for false information on my last comment

Re: User-ID agent issue

MP18 — Thu, 20 Jun 2019 14:45:28 GMT

i follow the link and run the command

show user ip-user-mapping all type UNKNOWN option count

Total: 122 users

why i am seeing this as unknown?

Re: User-ID agent issue

BPry — Thu, 20 Jun 2019 16:48:44 GMT

@MP18

This simply means that there are 122 clients that the firewall is unable to get user-id information for. Just because you have 122 users as unknown doesn't mean that you'll run into the issue mentioned in the article, but it means you potentially could if you cross the 100 sessions/s metric.