03-01-2018 06:43 AM
We have an agentless User-ID setup. Firewall is able to pull user accounts from the AD.
User-ID based policies were created on top of IP-Based policies.
However, some user traffic can be seen using the user-id based policies, some users can be seen using the IP-based policies.
This happens on all of my sites.
Is this a normal behavior? Or is there something wrong on my setup.
03-01-2018 06:57 AM
Hello,
Here are a few things to check out.
Check your timeout settings
Device tab -> User Identification -> User Mapping -> User Identification Timeout
I have mine set to 720 minutes but the default is 45 minutes.
Check the zone settings to make sure they are set to use User-ID
Network tab -> Zones
Make sure the user-id boxes are checked on the zones you wish to monitor. Also if you are using subnets to specific 'Included Networks' make sure the subnets you need to monitor are listed.
Hope this helps.
03-01-2018 08:44 AM
not sure if I'm reading your post correctly but...
just because you have a user policy it does not mean that they can only use that policy. if the user IP address matches your IP policy then you will see traffic with the users name using that policy...
that sounds confusing... sorry.
03-02-2018 02:37 AM
I'm reading your explanation the same way as @Mick_Ball I think
User mapping and IP addresses are not mutually exclusive but rather an added layer of identification as your IP's may be shared between different departments and some things should only be limited based on the IP address a connection is coming from (the intranet), and some things need to be limited based on the user-ID or group membership (HR salary system, IT database, ...)
so rules created with only an IP will match any IP that matches the subnet, any policy created with a username or group will require UserID to have positively identified the user before the rule can be matched
Here's an article that could be helpful: https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-User-ID/ta-p/69321
03-04-2018 05:29 AM
Hi Otakar.Klier, thanks for replying. I'm already using those settings except for the User Identification Timeout. I'm still using the default of 45 minutes.
03-04-2018 05:34 AM
Hi Mickball, thanks for replying. I get your point.
I have a user policy on top of my IP policy.
For example
Policy #1 User policy has hq\netengr1 and hq\netengr2 as source user, any as source IP
Policy #2 IP policy has 192.168.1.0/24 source IP and any source user.
hq\netengr1 uses the correct policy (policy 1). However hq\netengr2 traffic falls to policy #2, even if he's logged in using the correct account. That's my problem, any tips on where to check?
03-05-2018 01:13 AM
@theonewhoknocks, thanks for the confirmation...
OK so im going to assume all users are allowed out via Policy2.
does netengr2 ever go out via policy1 or is it just some of his traffic...
does netengr1 ever go out via policy2...
are netengr1 & 2 going to the same sites... perhaps this could be worth testing.
do you have any other explicit rules in Policy1, such as application,service, profiles etc that could be affecting netengr2.
is policy 2 exactly the same as policy1 apart from the source user....
I would add a test policy between 1 & 2, source user netmngr2 any any any any any DENY and log session start.
if he is still allowed via any any 192.168.1.0/24 policy then you know its the user-id. we can look into this once confirmed...
if he still
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
