Agentless User-ID

Reply
L1 Bithead

Agentless User-ID

Hi,

I am having issues with getting the user-mappings after configuring the PAN as an agentless user-id with an AD. I have followed all the steps in this document

-> https://live.paloaltonetworks.com/docs/DOC-4332.

All are good except that when I run the CLI command  > show user ip-user-mapping all

L5 Sessionator

Re: Agentless User-ID

Hello,

Check whether service account created for pulling user-ip mapping has rights for 'Manage auditing and security log' policy and 'DCOM: Machine launch restriction.' policy.

Regards,

Hari Yadavalli

L1 Bithead

Re: Agentless User-ID

Hi,

Would you care to explain further the policy rights assignment?

Thanks

L5 Sessionator

Re: Agentless User-ID

Hello,

You can find 'Manage auditing and security log' policy under 'User Rights Assignment' in Group policy management and 'DCOM: Machine Launch restriction...' policy under 'Security options' in same group policy management for DC.

Regards,

Hari Yadavalli

L1 Bithead

Re: Agentless User-ID

Hi, Ive done the user rights assignment but still the same. I read somewhere that you need to setup an LDAP server. Is this necessary?

L5 Sessionator

Re: Agentless User-ID

Ldap server is required for getting group-mappings.

Can you confirm if user-identification is enabled for the zone you wanted to see mapping?

Highlighted
L4 Transporter

Re: Agentless User-ID

Suhaimi,

No, Ldap server is configuration is required to pull user-group mappings, not in this case. If you're sure about the service account privileges(Be sure the user is part of the Distributed COM Users, Server Operators and Event Log Readers groups.), can you ensure the status of the AD shows up as 'Connected' on the firewall?

uid.PNG

You can run the following command to check the statistics as well-

> show user server-monitor state all

> show user server-monitor statistics

Also, please ensure the firewall is connected to all the DC's the users are logging on to. User-ip-mappings are retrieved by the firewall by reading successful logon events from the security logs on DC. You can run 'set l' on the windows command prompt and that will show the DC user is logging onto. If all this is in place, looking at the userid debug logs should help.

> debug user-id on debug

> debug user-id set userid servermonitor

> debug user-id set userid basic

> debug user-id log-ip-user-mapping yes

> tail follow yes mp-log useridd.log

To turn these off-

> debug user-id log-ip-user-mapping no

> debug user-id unset all

>debug user-id on info

This will be a helpful document for you:

https://live.paloaltonetworks.com/docs/DOC-5662

Hope that helps,

Aditi

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!