topic Re: User-ID Help in General Topics

User-ID Help

JonHill — Mon, 30 Nov 2020 12:12:56 GMT

In recent weeks we've had a problem reported where one minute a site will be accessible for instance Youtube and then it won't be and then it will and it goes on, after looking in the logs when the connection to Youtube fails is when the log show no USER-ID when it works it shows a local USER-ID. We use an AD group for access to general internet and have this configured on the corresponding rule.

I've tried troubleshooting looking at various knowledgbase articles but haven't found any reason why sometimes USER-ID's are correct and and sites can be accessed and then othertimes they can't its also not happeing for all sites accessed at the sametime it may not work for Youtube but it will work for Google.

Can anyone give me any ideas why this might be happeneing?

Thanks

Jon

Re: User-ID Help

kenvizena — Mon, 30 Nov 2020 16:58:22 GMT

Can you provide more information?

What version of PanOS?

Are you using samaccountname and userprincipalname?

Do you have the user-id agent parsing every single sec-event-log on every DC?

Do you have "enable user-id" on for every internal zone?

Do you use Terminal Services? If so do you have that agent in that environment as well?

Are you using the same SPG for all rules or do you have multiple SPG's? Depending on your environment you can have one source subnet hitting a different policy /w a different SPG and URL filter if configured.

I have seen issues where a person is using a cached authentication in Windows when not connected to work via VPN and then attempts access which fails with the same type of error.

For testing I would use sites that are not super-trackers to see if the issue is as simple as all internal zones having user-id enabled. I would also check to see when it fails from the command line what it shows.

> show user ip-user-mapping all | match ken

IP VSYS Source user idletimeout maxtimeout

10.10.10.10 vsys1 UIA ken 2715 2715

Can the firewall get the updated ldap group membership?

> show user group list

cn=blah.blah.f00

> show user group name cn=blah.blah.f00

>show user group-mapping state f00

Servers : configured 2 servers

Last Action Time: 336 secs ago(took 12 secs)
Next Action Time: In 3264 secs

Re: User-ID Help

JonHill — Mon, 08 Feb 2021 13:20:14 GMT

Apologies for not replying sooner its been manic here and this is the first chance I’ve got to reply to your questions.

Thanks

Jon

What version of PanOS? 9.08

Are you using samaccountname and userprincipalname? Just samaccountname

Do you have the user-id agent parsing every single sec-event-log on every DC? Yes

Do you have "enable user-id" on for every internal zone? No, just our two Trust zones, WAN and Internet.

Do you use Terminal Services? If so do you have that agent in that environment as well? We don’t use Terminal Services in our environment but do use VDI.

I have seen issues where a person is using a cached authentication in Windows when not connected to work via VPN and then attempts access which fails with the same type of error.

> show user ip-user-mapping all | match ken

jhill@PHMDP01_PAN5250(active)> show user ip-user-mapping all | match jhill

10.170.38.229 vsys1 UIA ulh\jhill 867 867

10.130.239.12 vsys1 UIA ulh\jhill 868 868

Can the firewall get the updated ldap group membership?

Yes it can.

> show user group list

cn=blah.blah.f00

> show user group name cn=blah.blah.f00

It pulls back all the users in a group

>show user group-mapping state

Servers : configured 4 servers

Re: User-ID Help

BPry — Mon, 08 Feb 2021 20:29:23 GMT

@JonHill,

So first thing to look at is actually your User Identification Timeout value is. Usually with issues like this the entry is simply aging off because activity isn't being recorded in the AD logs within the specified timeout value, so the firewall allows the ip-user-mapping to age off because it hasn't seen any user-id activity in the allotted timeframe.

Re: User-ID Help

JonHill — Tue, 09 Feb 2021 09:51:12 GMT

Currently the Cache Timeout is set at 15 mins, I've read a couple of articles that this should be a lot higher and ideally half the DHCP refresh. I've also seen other articles that say if you're not using client probing it should be set at 600.
Server log monitor is set at 2s and session read frequency is set at 10s.
Any recommendations as to what these timers should be set at would be great?
Thanks

Jon