topic Re: Source user missing from log in General Topics

Source user missing from log

JimMcGrady — Thu, 16 Jul 2020 07:44:45 GMT

I have user mapping configured under user identification to monitor my AD servers - which are showing as 'connected'. My trust zone has user-id enabled. My globalprotect clients are in the trust zone. Their 'source user' correctly shows in the traffic log. However none of the other networks in my trust zone list a source user in their log entries. Why might it be that one network (globalprotect) lists user-id in traffic but the other networks do not?

Re: Source user missing from log

Thyrion — Thu, 16 Jul 2020 11:55:01 GMT

hi @JimMcGrady

this means the AD connection is not pulling in any username information (globalprotect is a different mechanism entirely), so first place to check is if you enabled audit logging on the AD and user logins are being logged, then check if the user account you set up for user-id has appropriate access to read those logs (event-log-reader)

hope this helps

Re: Source user missing from log

JimMcGrady — Tue, 21 Jul 2020 04:03:47 GMT

The AD servers appear to be connected:

show user server-monitor statistics

Directory Servers:
Name TYPE Host Vsys Status
-----------------------------------------------------------------------------
pdcpvads01.corp.int AD pdcpvads01.corp.int vsys1 Connected
pdcpvads02.corp.int AD pdcpvads02.corp.int vsys1 Connected

Queries to these servers dont report failures:

show user server-monitor state all

Server: pdcpvads01.corp.int(vsys: vsys1)
Host: pdcpvads01.corp.int
num of log query made : 2755
num of log query failed : 0
num of log read : 3132630
last record timestamp : 1595303559
last record time : 20200721035239.595407-000

Server: pdcpvads02.corp.int(vsys: vsys1)
Host: pdcpvads02.corp.int
num of log query made : 2772
num of log query failed : 1
num of log read : 1410103
last record timestamp : 1595303701
last record time : 20200721035501.975727-000

User mappings is correct for GP clients (172.30.x.x) but shows unknown for everything else

show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------------------- ------- -------------------------------- -------------- -------------
172.30.4.137 vsys1 GP corp\306271 13344 13344
10.75.123.36 vsys1 Unknown unknown 3 6
10.21.166.30 vsys1 Unknown unknown 1 4

Are there other commands i should use to investigate?

Re: Source user missing from log

JimMcGrady — Tue, 21 Jul 2020 04:15:31 GMT

Under device - user identification - group mapping settings - i can see AD being queried successfully. These objects are successfully being used in policy rules which restrict traffic according to user id

However, when viewing the user mapping, anything other than GP (172.30) is listed as unknown:

show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------------------- ------- -------------------------------- -------------- -------------
172.30.4.137 vsys1 GP corp\306271 13344 13344
172.30.4.233 vsys1 UIA corp\m062636 1876 1876
10.21.223.36 vsys1 Unknown unknown 3 6
172.30.4.120 vsys1 UIA corp\306976 2617 2617
10.21.166.30 vsys1 Unknown unknown 1 4

What else should i check?

Re: Source user missing from log

reaper — Tue, 21 Jul 2020 13:07:31 GMT

the group mapping is only used to extract group information from the active directory, and list the usernames that are in the group. it does not extract user to ip mapping

for this you would need to install a user-id agent on your active directory, or fill out the information in the server profile (first tab in your screenshot) so the firewall can actively retrieve log information from your AD audit log