This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

User-ID Source

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID Source

AdamSC
L1 Bithead

‎12-12-2018 08:43 AM - edited ‎12-12-2018 09:14 AM

Hello,

 

I have some concerns regarding User-ID information. We currently have internal and external gateways which should be grabbing User-ID/IP mappings. These are critical for RBAC-style rules based on AD groups.

 

I notice sometimes that my logs have entries without a username. When this happens, my access is limited. I verified on the CLI that during this time, there is no mapping there either. Usually the mapping is restored after a few minuts thru no action of the admin/end user. I

 

started looking into things and realize that from the CLI, the source of my User-ID information is UIA and not GP. Is this expected? We are running agents on two Windows servers, as well as WMI with the Palo Alto agentless configuration. However, I had expected GP to sort of superscede both of these sources.

 

When looking at my GP client (currently connected inside the office), the username field is  blank. Is this expected? Is it indicative of an issue? I'm unsure if this is related to the log entries showing no username (since things work right now and the logs are fine) but I'm trying to validate the stability of our User-ID information-gathering. The CLI has UIA and all my groups, so it's accurate but I'm unclear why it isn't the type GP.

 

I guess to summarize, I have 2 questions:

1. Has anyone seen the mapping disappear temporarily?

2. Is the source 'UIA' expected considering my situation?

 

The first screenshot shows the lack of username in the GP client. The second screenshot shows the issue where several lines of the log contain no username (note: it's a little hard to see and there's no deny entries because this rule does not specify one, but the rules that do are not hit when the username is not present).

 

Thank you

 

Edit: I did some testing

 

I switched to wireless and then disabled GP. I then re-connected to the wired network and did a DHCP release/renew. I waited a few minuts but no mapping appeared in the CLI. I then re-connected GP internally and the user name field now displays the correct username and the CLI showed type GP. However, after a minute it switched back to UIA.

 

I don't understand why the mapping did not exist when GP was disconnected. I also do not understand why it changed back to UIA from GP after a minute or so.

 

I'm running GP 4.1.7 for reference

 

user-id.pnglog.png

0 Likes Likes
0 REPLIES 0
  • 1326 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks