user-ID cache timeout vs idle timeout on firewall

Reply
L3 Networker

user-ID cache timeout vs idle timeout on firewall

Hi 

 

1- On firewall, what is the different between cache timeout value (1 hour that cannot be configure) and idle timeout value (which is equal to user-ID agent timeout value)? 

3- if idle timeout value is 480 minutes (8 hours) then what will happen to user-IP mapping after  one hour in firewall?

2- Also what events reset both timers?

3- Also I notice when user is login to machine but locked the machine then on user-id agent, it is showing correct username to IP mapping BUT in firewall, it is showing machine name with '$' sign. Once user again unlock and login then on user-id agent still correct username to IP mapping BUT in firewall, it is also now showing correct username to IP mapping. Can someone explain this to me?

 

192.168.44.100   vsys1   UIA   my-domain\windows7$           28471     28471 

L3 Networker

Re: user-ID cache timeout vs idle timeout on firewall

@reaper can you please help me for point 3 specially 

Community Manager

Re: user-ID cache timeout vs idle timeout on firewall

hi @faizankhurshid !

 

1. so the firewall gets user information from the user-ID agent and sets it to a idle timeout of 1 hour. after an hour it will check with the User-ID agent to make sure the user still has a mapping (the UIA is the authority) and if so, refresh the mapping

 

eh.. 3.1: see 1., the firewall queries the UserID agent to ensure the mapping isa still good, if the UIA still has 7 hours left, mapping is refreshed on the firewall

 

2. if they happen to timeout at exactly the same time, the mapping will simply dissapear until a new event creates a new mapping. if the agent times out first, it will dsend a delete message to the firewall and the mapping will be removed before it reaches idle. if the firewall times out first, it will query the uidagent and refresh the mapping, then will receive a delete and clear the maopiing anyway when the agent clears the user

 

3.2 What version are your user-ID agents on ? do you have probing enabled ?


Help the community: Like helpful comments and mark solutions
Reaper out
L3 Networker

Re: user-ID cache timeout vs idle timeout on firewall

@reaper thanks for the crystal clear explaination. I doubled check on agent and there is no netbios and wmi probing enabled. I am using 8.1.0-66. When the user login, firewall is showing correct mapping maximum for some seconds and then it keeping showing "domain-name/computer-name$" and policies are stopped working based on that user-ID

 

 

Community Manager

Re: user-ID cache timeout vs idle timeout on firewall

hm

 

Did you configure agentless on the firewall perhaps (with probing)? 

You may want to reach out to support to have them take a closer look, other than probing there's no explanation I can provide at this time


Help the community: Like helpful comments and mark solutions
Reaper out
L2 Linker

Re: user-ID cache timeout vs idle timeout on firewall

I'm also seeing machine accounts in the log instead of user in the log from time to time.

 

Using UID-agent 8.0.4-5. No probing.

L6 Presenter

Re: user-ID cache timeout vs idle timeout on firewall

@superture, hi.

 

can i just ask, are you seeing these entries on the user-id agent log. Or jus on the PA.

L2 Linker

Re: user-ID cache timeout vs idle timeout on firewall

Hi there

Both
Highlighted
L3 Networker

Re: user-ID cache timeout vs idle timeout on firewall

Question:

 

@reaper thanks for the crystal clear explaination. I doubled check on agent and there is no netbios and wmi probing enabled. I am using 8.1.0-66. When the user login, firewall is showing correct mapping maximum for some seconds and then it keeping showing "domain-name/computer-name$" and policies are stopped working based on that user-ID

 

Answer:

This is an issue with user ID agent 8.1.0-66 and would request you to open a support case and refer to Palo Alto internal issue number WINAGENT-314

 

Regards

Khan

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!