topic Re: User-ID not mapping all users in General Topics

User-ID not mapping all users

JermaineScott — Mon, 26 Aug 2019 17:46:18 GMT

I'm using the PA's integrated User-ID Agent to setup User-ID. The moment I began monitoring DC controllers it begain to pull User-ID mappings. This is before User-ID was configured on any zone. However, when I configured User-ID on a source zone, the firewall doesn't getting any user mappings from that source zone. Select IP addresses (approx. 5) will periodically show a mapping of "unknown" however it appears it's not getting a response from the other source IP addresses ( approx. 200) in that zone.

Any ideas on what could cause this?

Re: User-ID not mapping all users

S.Cantwell — Mon, 26 Aug 2019 20:12:31 GMT

I would recommend that you take a look at the following section in the Admin guide for enabling UserID properly

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id.html#

Essentially, it gets broken down into 3 parts.

1) Get LDAP/Group Mappings configured on FW.

Create LDAP Server Profile

User-ID Group Mapping Settings.

2) Users log into DC/Exchange server(s) like they normally do.

3) User ID on the source Zone enabled

So, the 200 or so computers need to be (generally) Windows machines, on the domain, autheticating to the domain.

When users authenticate, server log entry is created, with username/IP associated.

UserID aget, monitoring the DC, will extract user/IP info and show logs in FW (not in security policy)

Again, take a look at the UserID docs, and let us know how we can assist further.

Re: User-ID not mapping all users

OtakarKlier — Mon, 26 Aug 2019 21:09:38 GMT

Hello,

Also check the User Identification Timeout (min) setting. By default its something small like 45 mins. We had to bump ours to 720 mins to keep the users from dropping off during business hours since they might only authenticate in once. Another thing is if you use Exchange and everyone has Outlook, you can monitor the exchange logs and the chance of a use dropping off is slim since Outlook is always authenticating against exchange.

Regards,

Re: User-ID not mapping all users

JermaineScott — Tue, 27 Aug 2019 14:37:58 GMT

Hey @S.Cantwell

I was in a rush and just providing limited information, but I went through the User-ID documentation completely when configuring User-ID, and I've configured User-ID successfully many times before. It was strange that I was getting limited reponses so I unconfigred all lthe setting, cleared the mappings. Then as I configured each piece, I monitored the mappings of the agent to try and dissect where the limited mapping were coming from. From that, I noticed that it began to populate prior to User-ID being enabled no the source zone.

I did some troubleshooting with my AD admin and found out that the AD servers do not log successful Logon events. I'm sure this plays a part in why logon from my source zone aren't being mapped by the agent, but doesn't quite explain withthe other mappings are there.

Re: User-ID not mapping all users

JermaineScott — Tue, 27 Aug 2019 14:55:17 GMT

@OtakarKlier

My hesitancy with extening user timeout has always been tied to dhcp timeout, and what would happen it if one user dropped of the network and another picked up their IP address. Then they'd potentiall have access (based on policy) to things they shouldn't. Or not have access to things they should.

I like the idea of using Exchange. So would I just configure the FQDN of the Exchange servers in the Server Monitoring tab?

Also a note from my other repsponse: I did some troubleshooting with my AD admin and found out that the AD servers do not log successful Logon events. I'm sure this plays a part in why logon from my source zone aren't being mapped by the agent, but doesn't quite explain withthe other mappings are there.

Would that be a factor, if they same is true for the Exchange Server?