topic Re: User-ID and app discovery on IPSec tunnel for site-to-site VPN in General Topics

User-ID and app discovery on IPSec tunnel for site-to-site VPN

JoschkaKruse — Wed, 16 Dec 2020 15:39:42 GMT

Hello everyone,

we're using a VM300. I've recently set up 2 VPN tunnels, ike1 and ikev2. Tunnels come up successfully, but no user-ID is being transmitted and apps are not being discovered properly.

We also have another site connected via MPLS where everything works fine.

User-ID has been enabled on the zone where the tunnels are connected to.

Any hints and ideas what I am missing?

Re: Agentless User-ID and app discovery on IPSec tunnel for site-to-site VPN

S.Cantwell — Wed, 16 Dec 2020 13:45:15 GMT

Good Morning

So I am a little confused about expectations and what you described.

First, User ID is NOT transmitted, it is received from your local FW, when a Src Addr communicates.

So I do not believe we are "transmitting" UserID to the remote side.

I am not sure I understand the connection between no UserID and applications detection.

Are you stating the zero applications are seen across your VPN? That does seem strange.

Perhaps you can do more into detail on this aspect.

I think the feature you need to enable (if I understand correctly) is User ID redistribution.

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/deploy-user-id-in-a-large-scale-network/redistribute-user-mappings-and-authentication-timestamps/configure-user-id-redistribution.html

Re: Agentless User-ID and app discovery on IPSec tunnel for site-to-site VPN

Thyrion — Wed, 16 Dec 2020 13:45:17 GMT

what mechanism are you using to match incoming IP addresses to user-id ? (are incoming user connections logging in via an account on the local AD. is Captive Portal set up? )

and what are you seeing in regards to apps not being identified correctly?

Re: Agentless User-ID and app discovery on IPSec tunnel for site-to-site VPN

aleksandar.astardzhiev — Wed, 16 Dec 2020 13:49:29 GMT

Hi @JoschkaKruse ,

Lets make it clear user-ID has nothing to do with app-ID, so lets separate the two issues.

User-ID:

Enabling user-ID on the IPsec tunnel zone will only tell the firewall to look for user-to-ip mapping for the source IPs that are received from that zone. You still need to have the "user-to-ip" mapping information from somewhere. If you say you are using Agentless I guess you are using Server Monitor and firewall is looking at the Active Directly security logs for logon events. Can you confirm that AD you are monitoring have logon events for the users in the remote network? Are these users use the same AD?

I cannot think of any reason why IPsec tunnel will behave differently from any other interface on the firewall. So I will abstract from the fact that it is IPsec tunnel, and look if the AD that FW is monitoring actually have information for IP network behind the tunnel.

Application-ID:

Again - no reason why IPsec tunnel will behave differently from any other interface on the firewall. In addition FW will always try to identify the traffic that is processing, no matter if you use apps in the security rulebase or not. Can you explain a bit more what do you mean by "apps are not being dicovered properly"? What is firewall reporting and what do you expect to be reporting?

Re: User-ID and app discovery on IPSec tunnel for site-to-site VPN

JoschkaKruse — Wed, 16 Dec 2020 16:42:37 GMT

I'm pretty new to Palo and firewalling, so sorry for the lack of info I gave you 😞

We're using a UIA and terminal server agent. Sorry for the faulty info.

Thanks for all your responses so far. Just figured it out I guess 🙂

App-id for internal traffic worked properly.

Same with user-id somehow.

Maybe I had a faulty client for my tests yesterday.

So my only issue seemed to be the app-id.

I saw that all external requests ended up as incomplete and NAT destination port as 0.

So what I missed was, to add the VPN zone to the hide NAT rule. After that, appid was recognized immediately. 🙂

The only thing I'm wondering about is the fact that the user-id gets lost after a longer period of inactivity on the client in the VPN network. Maybe that's cause of the cache settings configured for the user-id?

Re: User-ID and app discovery on IPSec tunnel for site-to-site VPN

BPry — Wed, 16 Dec 2020 17:57:51 GMT

@JoschkaKruse,

User-ID information will age-out unless your are actively receiving additional logs for that user or you have enabled probing. You can either adjust that so it holds onto the mapping longer, add additional sources to be monitored such as Exchange, or setup probing. What is your timeout value currently set to?