User-ID sometimes missing ntlmdomain\ on the firewall

Reply
L2 Linker

User-ID sometimes missing ntlmdomain\ on the firewall

Hi,

I've recently seen this a couple of times on completely separate firewalls / AD infrastructures (a 2050 cluster and a 3020 cluster, both running 5.0.8). User ID is setup and working fine along with LDAP group mapping

However on the odd occasion users report applications or URL categories blocked that should be allowed. It often "goes away" again soon.

I spotted in the URL and Traffic logs, the user is (for short periods) identified just as USERNAME, rather than DOMAIN\USERNAME...

This of course does not match rules with usernames specified in them.

Any ideas why it may drop the domain name occasionally?

Thanks

Dave

Highlighted
L3 Networker

Re: User-ID sometimes missing ntlmdomain\ on the firewall

Dave,

This could be a known issue. Fixed 5.0.7, bug id 52383.

PAN-OS 5.0.7: Addressed Issues

5.0.7 has software buffer issues and hence upgrade to this version is not recommended, 5.0.10 is a stable version comparatively.

HTH

Deepak

L4 Transporter

Re: User-ID sometimes missing ntlmdomain\ on the firewall

Do you know if those PCs from where the usernames appear without the domain are perhaps running some sort of service in the background that is only associated with the username (and is missing the domain). Do you see logon event on the AD / DC security events with just the username? What is the user-ip-mapping on the UserID agent when you see the logs on the firewall show only the username?

L2 Linker

Re: User-ID sometimes missing ntlmdomain\ on the firewall

Thanks for that... I might be reading it wrong but doesn't it say that was addresses/fixed in 5.0.7 ?

Unless it wasn't rolled into 5.0.8 for some reason...

Does look very similar though. I'll give a later build of 5.0.x a whirl today and see what happens!

L2 Linker

Re: User-ID sometimes missing ntlmdomain\ on the firewall

Found this..

53258—Authenticating access to a file share folder hosted outside of the Active Directory domain was causing the firewall to change the User-IP Mapping to the username and password used to authenticate to the file share folder hosted outside of the Active Directory domain, instead of the Active Directory username and password.

Resolved in 5.0.11

So I'll be giving that a try!

L3 Networker

Re: User-ID sometimes missing ntlmdomain\ on the firewall

The fix in 5.0.7 is good for the succeeding maintenance release too, my recommendation of not moving to 5.0.7 is due to a software pool depletion issue that you might run into 5.0.7.

HTH

L4 Transporter

Re: User-ID sometimes missing ntlmdomain\ on the firewall

Is this a multi domain environment and do you have server session read enabled?

For multiple domain environments the data gathered from open sessions may not be accurate. This method does not deliver domain data with the user name and it is assumed that the user is a member of the domain that the monitored server is part of.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!