Agentless User-ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Agentless User-ID

L1 Bithead

Hi,

I am having issues with getting the user-mappings after configuring the PAN as an agentless user-id with an AD. I have followed all the steps in this document

-> https://live.paloaltonetworks.com/docs/DOC-4332.

All are good except that when I run the CLI command  > show user ip-user-mapping all

1 accepted solution

Accepted Solutions

Suhaimi,

No, Ldap server is configuration is required to pull user-group mappings, not in this case. If you're sure about the service account privileges(Be sure the user is part of the Distributed COM Users, Server Operators and Event Log Readers groups.), can you ensure the status of the AD shows up as 'Connected' on the firewall?

uid.PNG

You can run the following command to check the statistics as well-

> show user server-monitor state all

> show user server-monitor statistics

Also, please ensure the firewall is connected to all the DC's the users are logging on to. User-ip-mappings are retrieved by the firewall by reading successful logon events from the security logs on DC. You can run 'set l' on the windows command prompt and that will show the DC user is logging onto. If all this is in place, looking at the userid debug logs should help.

> debug user-id on debug

> debug user-id set userid servermonitor

> debug user-id set userid basic

> debug user-id log-ip-user-mapping yes

> tail follow yes mp-log useridd.log

To turn these off-

> debug user-id log-ip-user-mapping no

> debug user-id unset all

>debug user-id on info

This will be a helpful document for you:

https://live.paloaltonetworks.com/docs/DOC-5662

Hope that helps,

Aditi

View solution in original post

6 REPLIES 6

L5 Sessionator

Hello,

Check whether service account created for pulling user-ip mapping has rights for 'Manage auditing and security log' policy and 'DCOM: Machine launch restriction.' policy.

Regards,

Hari Yadavalli

Hi,

Would you care to explain further the policy rights assignment?

Thanks

Hello,

You can find 'Manage auditing and security log' policy under 'User Rights Assignment' in Group policy management and 'DCOM: Machine Launch restriction...' policy under 'Security options' in same group policy management for DC.

Regards,

Hari Yadavalli

Hi, Ive done the user rights assignment but still the same. I read somewhere that you need to setup an LDAP server. Is this necessary?

Ldap server is required for getting group-mappings.

Can you confirm if user-identification is enabled for the zone you wanted to see mapping?

Suhaimi,

No, Ldap server is configuration is required to pull user-group mappings, not in this case. If you're sure about the service account privileges(Be sure the user is part of the Distributed COM Users, Server Operators and Event Log Readers groups.), can you ensure the status of the AD shows up as 'Connected' on the firewall?

uid.PNG

You can run the following command to check the statistics as well-

> show user server-monitor state all

> show user server-monitor statistics

Also, please ensure the firewall is connected to all the DC's the users are logging on to. User-ip-mappings are retrieved by the firewall by reading successful logon events from the security logs on DC. You can run 'set l' on the windows command prompt and that will show the DC user is logging onto. If all this is in place, looking at the userid debug logs should help.

> debug user-id on debug

> debug user-id set userid servermonitor

> debug user-id set userid basic

> debug user-id log-ip-user-mapping yes

> tail follow yes mp-log useridd.log

To turn these off-

> debug user-id log-ip-user-mapping no

> debug user-id unset all

>debug user-id on info

This will be a helpful document for you:

https://live.paloaltonetworks.com/docs/DOC-5662

Hope that helps,

Aditi

  • 1 accepted solution
  • 5932 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!