topic Re: security policy source user strange behavior in General Topics

security policy source user strange behavior

giacomomarconi — Thu, 10 Dec 2020 10:57:13 GMT

Hello

I am using ldap users as source user in security policy.

The policy defines who can access http-service and https-service to the internet.

After the Firewall there are about 500 PCs and about 10% PCs stop to browse the internet every 20-30min, pressing F5 in the browser seems to solve.

The only thing that I understood is that the problem is always in those PC.

Removing the source user limitation this problem disappear.

Any idea on howto debug this ?

thanks very much

Re: security policy source user strange behavior

Mick_Ball — Thu, 10 Dec 2020 17:27:15 GMT

try to increase user identification timeout (min) from default 45 to 8 hours (480)

for debug overide interzone default policy and log session start.

look for traffic with no source user.

Re: security policy source user strange behavior

saraya — Fri, 11 Dec 2020 00:15:54 GMT

Do you see an intermittent blank 'source user' value on traffic logs (Monitor > Traffic) once it fails?

You may verify this by filtering in traffic logs the following: ( user.src neq 'source-user' ) and ( addr.src in x.x.x.x ).

If that is the case, most likely the User-to-IP mapping is being lost due to Timeout. Ref doc:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZzCAK

You can either increase the User Identification Timeout or remove the check from the Enable User Identification Timeout.

More information about User Identification Timeout: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNVyCAO

Re: security policy source user strange behavior

giacomomarconi — Fri, 11 Dec 2020 21:39:44 GMT

Thank you both for the answers.

at the moment i disabled the user identification in the policies, to keep people work.

I noticed that pc/user with problem are always the same.

And the interruption (i see the empty user in url filtering) is less of the 45min set in the timeout setting.

next week I will set up a little lab where to try to reproduce the problem.

should I look at the user id agent server to find something ?

Giacomo

Re: security policy source user strange behavior

Mick_Ball — Sat, 12 Dec 2020 08:35:23 GMT

this will be easy to diagnose without a lab.

Just clone your HTTP/HTTPS policy that has no user identification and call it user-test.

add this directly above and allow with source user ID.

This will not block users as they will drop down to the next policy that will allow if no user id is found.

monitor the traffic for http(s) and when a user is using user-test then you know user id is working for them.

If you see a user on the other policy then search for that user on the server agent under "monitoring".

if the search is blank then the ip address associated with that user may have timed out.

please note that the user timeout has nothing to do with timestamps on traffic monitor, it is the time since the ip address was last observed in the security logs by the agent. so a user could be fine at 10:44 and at 10:46 no traffic. this is because they registered their ip address at 10:00 and it has now timed out.

if it applies to a particular set of users then this could be because their domain activity is not as frequent as others.

on the server agent you can increase timeout here under setup.

Re: security policy source user strange behavior

giacomomarconi — Tue, 15 Dec 2020 10:44:32 GMT

I increased the timeout to 600, but when I launch:

show user ip-user-mapping all type UNKNOWN

I always see about 10-15 PCs in the unknown list.

Re: security policy source user strange behavior

Mick_Ball — Tue, 15 Dec 2020 10:51:54 GMT

The new user mapping timeout will only start on the next new mapping, are you monitoring AD security logs.

If so then get user to log out and back in to update security log on AD.

Re: security policy source user strange behavior

giacomomarconi — Tue, 15 Dec 2020 16:39:19 GMT

this will be easy to diagnose without a lab.

Just clone your HTTP/HTTPS policy that has no user identification and call it user-test.

add this directly above and allow with source user ID.

I can see a lot fo empty "source user" in "Monitor/Url Filtering" also without that rule.

Re: security policy source user strange behavior

giacomomarconi — Thu, 17 Dec 2020 14:59:52 GMT

I tried to add a third User-id Agent.

What's the need of User Identification > User Mapping > server monitoring tab ?

If I press discover my DC's are listed, but with the access denied error.

thanks very much for yours help.

Re: security policy source user strange behavior

Mick_Ball — Thu, 17 Dec 2020 15:08:52 GMT

have you setup a server monitor account in the agent setup?

Re: security policy source user strange behavior

giacomomarconi — Thu, 17 Dec 2020 23:20:09 GMT

yes it is configured.

I meant, is server monitor only need for wmi probing ?