https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id/m-p/10274#M7554 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>You can find 'Manage auditing and security log' policy under 'User Rights Assignment' in Group policy management and 'DCOM: Machine Launch restriction...' policy under 'Security options' in same group policy management for DC.</P><P></P><P>Regards,</P><P>Hari Yadavalli</P></BODY></HTML> Thu, 02 Jan 2014 13:46:43 GMT hyadavalli 2014-01-02T13:46:43Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id/m-p/10271#M7551 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am having issues with getting the user-mappings after configuring the PAN as an agentless user-id with an AD. I have followed all the steps in this document</P><P>-&gt; <A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-4332">https://live.paloaltonetworks.com/docs/DOC-4332</A>.</P><P></P><P>All are good except that when I run the CLI command&nbsp; &gt; <SPAN style="color: #3b3b3b; font-family: 'courier new', courier;">show user ip-user-mapping all</SPAN></P></BODY></HTML> Thu, 02 Jan 2014 09:23:14 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id/m-p/10271#M7551 Suhaimi 2014-01-02T09:23:14Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id/m-p/10272#M7552 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Check whether service account created for pulling user-ip mapping has rights for 'Manage auditing and security log' policy and 'DCOM: Machine launch restriction.' policy.</P><P></P><P>Regards,</P><P>Hari Yadavalli</P></BODY></HTML> Thu, 02 Jan 2014 12:28:58 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id/m-p/10272#M7552 hyadavalli 2014-01-02T12:28:58Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id/m-p/10273#M7553 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Would you care to explain further the policy rights assignment?</P><P></P><P>Thanks</P></BODY></HTML> Thu, 02 Jan 2014 13:25:09 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id/m-p/10273#M7553 Suhaimi 2014-01-02T13:25:09Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id/m-p/10274#M7554 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>You can find 'Manage auditing and security log' policy under 'User Rights Assignment' in Group policy management and 'DCOM: Machine Launch restriction...' policy under 'Security options' in same group policy management for DC.</P><P></P><P>Regards,</P><P>Hari Yadavalli</P></BODY></HTML> Thu, 02 Jan 2014 13:46:43 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id/m-p/10274#M7554 hyadavalli 2014-01-02T13:46:43Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id/m-p/10275#M7555 <HTML><HEAD></HEAD><BODY><P>Hi, Ive done the user rights assignment but still the same. I read somewhere that you need to setup an LDAP server. Is this necessary?</P></BODY></HTML> Thu, 02 Jan 2014 14:52:32 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id/m-p/10275#M7555 Suhaimi 2014-01-02T14:52:32Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id/m-p/10276#M7556 <HTML><HEAD></HEAD><BODY><P>Ldap server is required for getting group-mappings.</P><P>Can you confirm if user-identification is enabled for the zone you wanted to see mapping?</P></BODY></HTML> Thu, 02 Jan 2014 16:00:13 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id/m-p/10276#M7556 hyadavalli 2014-01-02T16:00:13Z https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id/m-p/10277#M7557 <HTML><HEAD></HEAD><BODY><P>Suhaimi,</P><P></P><P>No, Ldap server is configuration is required to pull user-group mappings, not in this case. If you're sure about the service account privileges(<SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Be sure the user is part of the Distributed COM Users, Server Operators and Event Log Readers groups.</SPAN>), can you ensure the status of the AD shows up as 'Connected' on the firewall?</P><P></P><P><IMG alt="uid.PNG" class="jive-image" height="110" src="https://live.paloaltonetworks.com/legacyfs/online/10579_uid.PNG" style="width: 158.93877551020407px; height: 110px;" width="159" /></P><P></P><P>You can run the following command to check the statistics as well-</P><P>&gt; show user server-monitor state all</P><P>&gt; show user server-monitor statistics</P><P></P><P>Also, please ensure the firewall is connected to all the DC's the users are logging on to. User-ip-mappings are retrieved by the firewall by reading successful logon events from the security logs on DC. You can run 'set l' on the windows command prompt and that will show the DC user is logging onto. If all this is in place, looking at the userid debug logs should help.</P><P></P><P>&gt; debug user-id on debug</P><P>&gt; debug user-id set userid servermonitor</P><P>&gt; debug user-id set userid basic</P><P>&gt; debug user-id log-ip-user-mapping yes</P><P>&gt; tail follow yes mp-log useridd.log</P><P></P><P>To turn these off-</P><P>&gt; debug user-id log-ip-user-mapping no</P><P>&gt; debug user-id unset all</P><P>&gt;debug user-id on info</P><P></P><P>This will be a helpful document for you:</P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-5662" style="font-size: 10pt; line-height: 1.5em;">https://live.paloaltonetworks.com/docs/DOC-5662</A></P><P></P><P>Hope that helps,</P><P>Aditi</P></BODY></HTML> Thu, 02 Jan 2014 16:09:01 GMT https://live.paloaltonetworks.com/t5/general-topics/agentless-user-id/m-p/10277#M7557 apasupulati 2014-01-02T16:09:01Z