mapping issue

Reply

mapping issue

facebook palo alto issue.jpg

Good Day to everyone.

I have this issue almost every day. It doesn't happen with all users at one time.

After restart, everything is working as it should work.

I have probe enabled(20 minutes) and Enable User Identification Timeout(720 minutes).

What can  be an issue?

L6 Presenter

Re: mapping issue

And a very good day to you kind sir...

 

are you using agents or local palo user mapping.

 

what is it that you restart to get things working again.  the firewall, user PC...  or all

 

it dose seem odd as you have the timeout set to 12 hours....

Re: mapping issue

Hi Mick,

I restart pc which has this problem and after restart everything is working.

I use AD username to make connection between PAN and AD.

L6 Presenter

Re: mapping issue

So how long after you restart the pc does the problem come back for that user.. Is it after 12 hours.

Re: mapping issue

For other users it happens at different time, so I can't tell you exact time.
But with me it happens almost every morning. I take my pc home at 6 PM and come at work at 9 AM.

It makes about 15 hours.

Also if some user turns off his pc for this time and turns it on in the morning the same problem occurs.

I now made this time for 20 hours. Maybe you have another solution?

Re: mapping issue

Also it does the problem when I switch to WIFI network.

It blocks by ip.

L2 Linker

Re: mapping issue

It looks like you rely on AD security log for user-id and your probing configuration does not work.

So when you login via cable the firewall/UIA learns the mapping from the AD security log, but when you switch network connection I think you get a new IP. As there is no login event on the AD you have no correct user-ip-mapping and the connection is blocked.


Did you set the correct permissions for probing?

Take a look at: https://live.paloaltonetworks.com/t5/General-Topics/Permissions-of-user-ID-service-account-for-wmi-a...

 

You can check wether your AD account is allowed to get the logged in user via the following cli command on windows:

 

WMIC /NODE: xxx.xxx.xxx.xxx COMPUTERSYSTEM GET USERNAME

 

Make sure that you run that command in the context of your UID Agent user!

Re: mapping issue

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/configure-user-mapping-using...

 

Hi ALex,

probing and etc is configured as in this article.
I just added now our local DATA network in include/exclude network (include - 10.0.0.0/8).

The problem usually occurs on mornings.

L2 Linker

Re: mapping issue

the article you mentioned does not cover the permission settings on windows side.

 

Please use the wmic command mentioned before to test if you receive the userinformation from the client. when you receive an empty response, the permissions are not correct

 

The network for sure must be in the include list for the firewall to create a ip-user-mapping.

 

 

 

L7 Applicator

Re: mapping issue

Hello,

Do you use MS exchange for email? If yes, I have found those logs to be quicker to respond to IP changes, i.e. wireless to WiFi. Sometime what happens on a PC is that other accounts are running on it from external sources so the mapping in the PAN wont be correct. 

 

For example if you use a 3rd party tool to push out software or updates that uses a service account, then the IP to User maping in the PAN will most likly show the service account since it only uses the last account to log into a PC.

 

This has caused me issues in the past when performing vulnerability scans. All of a sudden it would look like my scanning account was logged into the PC, and it was, for scanning purposes.

 

You can check the Unified logs to make sure the IP/Username is correct for that PC or help you track down what is causing it to change.

 

Hope that helps.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!