User-ID sometimes missing ntlmdomain\ on the firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID sometimes missing ntlmdomain\ on the firewall

L2 Linker

Hi,

I've recently seen this a couple of times on completely separate firewalls / AD infrastructures (a 2050 cluster and a 3020 cluster, both running 5.0.8). User ID is setup and working fine along with LDAP group mapping

However on the odd occasion users report applications or URL categories blocked that should be allowed. It often "goes away" again soon.

I spotted in the URL and Traffic logs, the user is (for short periods) identified just as USERNAME, rather than DOMAIN\USERNAME...

This of course does not match rules with usernames specified in them.

Any ideas why it may drop the domain name occasionally?

Thanks

Dave

6 REPLIES 6

L3 Networker

Dave,

This could be a known issue. Fixed 5.0.7, bug id 52383.

PAN-OS 5.0.7: Addressed Issues

5.0.7 has software buffer issues and hence upgrade to this version is not recommended, 5.0.10 is a stable version comparatively.

HTH

Deepak

L4 Transporter

Do you know if those PCs from where the usernames appear without the domain are perhaps running some sort of service in the background that is only associated with the username (and is missing the domain). Do you see logon event on the AD / DC security events with just the username? What is the user-ip-mapping on the UserID agent when you see the logs on the firewall show only the username?

Thanks for that... I might be reading it wrong but doesn't it say that was addresses/fixed in 5.0.7 ?

Unless it wasn't rolled into 5.0.8 for some reason...

Does look very similar though. I'll give a later build of 5.0.x a whirl today and see what happens!

Found this..

53258—Authenticating access to a file share folder hosted outside of the Active Directory domain was causing the firewall to change the User-IP Mapping to the username and password used to authenticate to the file share folder hosted outside of the Active Directory domain, instead of the Active Directory username and password.

Resolved in 5.0.11

So I'll be giving that a try!

The fix in 5.0.7 is good for the succeeding maintenance release too, my recommendation of not moving to 5.0.7 is due to a software pool depletion issue that you might run into 5.0.7.

HTH

L4 Transporter

Is this a multi domain environment and do you have server session read enabled?

For multiple domain environments the data gathered from open sessions may not be accurate. This method does not deliver domain data with the user name and it is assumed that the user is a member of the domain that the monitored server is part of.

  • 5073 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!