07-18-2016 06:42 PM
I'm pretty new to PA so there may be something obvious that I have missed.
The issue I am having is trying to get the Agentless User-ID connecting and reading Security Logs from AD. All the users are coming up as Unknown:
show user ip-user-mapping all IP Vsys From User IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 10.10.10.43 vsys1 Unknown unknown 1 4 10.10.9.16 vsys1 Unknown unknown 2 5 10.10.12.40 vsys1 Unknown unknown 1 4 10.10.0.17 vsys1 Unknown unknown 2 5 10.10.4.181 vsys1 Unknown unknown 1 4
The environment is PAN 3020 7.0.8, AD on Server 2808 R2. PAN is running as a very simple Virtual Wire.
I have created the WMI Authentication user with the correct rights to AD (Distributed, COM, Event Log Readers, Server Operators) also added CIMV2 Enable Account and Remote Enable.
show user server-monitor statistics Directory Servers: Name TYPE Host Vsys Status ----------------------------------------------------------------------------- ad1.domain.name AD 192.168.1.1 vsys1 Connected ad1.domain.name AD 192.168.1.2 vsys1 Connected Syslog Servers: Name Connection Host Vsys Status -----------------------------------------------------------------------------
One of the things that concerns me is that the number of logs read is 0:
show user server-monitor state all
UDP Syslog Listener Service is disabled
SSL Syslog Listener Service is disabled
Server: ad1.domain.name(vsys: vsys1) (job 1449)
Host: 192.168.1.1
num of log query made : 462
num of log query failed : 0
num of log read : 0
last record timestamp : 0
last record time :
Server: ad2.domain.name(vsys: vsys1)
Host: 192.168.1.2
num of log query made : 389
num of log query failed : 0
num of log read : 0
last record timestamp : 0
last record time :
num of log read : 0
last record timestamp : 0
last record time :
show user group list and show user group name <group> both give expected results from AD. If I check 'Enable Session' from within the User ID Agent setup I see some users but not all. I have run as the WMI Authentication as a Domain Admin with the same results. I have checked the domain controllers and both have multiple 4624, 4768, 4769 events in the last hour but no 4770.
Can any one point me in another direction of things to test?
07-19-2016 05:35 PM
Fixed....
The system date was incorrect.
I'll shut the door on the way out.
07-19-2016 01:45 AM - edited 07-19-2016 01:46 AM
did you make sure succesful logon auditing is enabled on the Active Directory? by default this is turned off so there aren't any logs to read:
07-19-2016 04:26 PM
Thanks for the reply reaper. Yes I have both the 'Audit account logon events' and 'Audit logon events' logging success. I have verified these in the logs; 4624 is a 'logon event' and 4768 is an 'account logon'. I confirmed these events by running event viewer remotely using the account set for WMI Authentication.
I have also now updated the unit to 7.1.3 but still can't find the cause of the logs not being read.
07-19-2016 05:35 PM
Fixed....
The system date was incorrect.
I'll shut the door on the way out.
05-24-2022 10:11 AM
Hi,
I was also facing the same issue, it was using the public DNS and when I change to the internal DNS to AD.
Start working fine.
05-24-2022 11:21 PM
Hi, we are facing same issue on AD:2019 and PAN OS 10.1.5h1, we check it already time sync all system but it still not get user-id mapping. We still get unknown. Could you pls explain more about your solutions?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
