Issue
The agentless User-ID feature is configured with client probing enabled using the server operator and event log reader credentials. When viewing the IP-mapping, the IPs are mapped with the service (admin) username and not the actual username.
Note: Agentless User-ID was introduced in PAN-OS 5.0.
Here is an example of the user-IP mapping table in this scenario:
10.38.135.32 vsys1 AD domain/admin 1995 1995
10.39.240.252 vsys1 AD blr-els-nw-ts-1\administrator 1222 1222
172.16.114.58 vsys1 Unknown unknown 0 3
10.38.17.242 vsys1 AD sw017242\administrator 429 429
10.38.35.31 vsys1 Unknown unknown 2 5
10.38.41.125 vsys1 AD domain/admin 98 98
10.38.41.124 vsys1 AD domain/admin 876 876
10.38.39.79 vsys1 AD domain/admin 2169 2169
10.17.58.44 vsys1 AD odls-win7\administrator 1708 1708
10.38.172.154 vsys1 AD domain/admin 1332 1332
10.20.139.164 vsys1 AD domain/admin 1803 7
10.38.153.80 vsys1 Unknown unknown 1 4
10.38.97.115 vsys1 AD domain/admin 227 227
10.38.172.159 vsys1 AD domain/admin 1450 1450
10.38.39.243 vsys1 Unknown unknown 0 3
The domain/admin above is the user credential with event log reader, server operator, and distributed COM user privileges.
A corresponding userid log may appear as follows:
admin > show log userid direction equal backward
Domain,Receive Time,Serial #,Type,Threat/Content Type,Config Version,Generate Time,Virtual System,ip,User,datasourcename,eventid,Repeat Count,timeout,beginport,endport,datasource,datasourcetype,seqno,actionflags
1,2013/03/19 10:55:23,0009C101625,USERID,login,3,2013/03/19 10:55:23,vsys1,10.38.97.103,domain/admin,probing,0,1,2700,0,0,active-directory,unknown,1861,0x0
1,2013/03/19 10:52:54,0009C101625,USERID,login,3,2013/03/19 10:52:54,vsys1,10.38.45.188,domain/admin,probing,0,1,2700,0,0,active-directory,unknown,1860,0x0
1,2013/03/19 10:52:44,0009C101625,USERID,login,3,2013/03/19 10:52:44,vsys1,10.38.97.120,domain/admin,probing,0,1,2700,0,0,active-directory,unknown,1859,0x0
1,2013/03/19 10:51:34,0009C101625,USERID,login,3,2013/03/19 10:51:34,vsys1,10.38.41.0,domain/admin,probing,0,1,2700,0,0,active-directory,unknown,1858,0x0
1,2013/03/19 10:50:22,0009C101625,USERID,login,3,2013/03/19 10:50:22,vsys1,10.38.61.51,ixia6151\admin,probing,0,1,2700,0,0,active-directory,unknown,1857,0x0
Cause
The client probe is performed using the same username in the event logs of the AD. The admin user probing succeeds for all the IPs that are being probed, and the actual username in the IP-mapping is overwritten with the admin username.
Resolution
Place the admin user in the ignore list to prevent the username from being overwritten.
- Enter the CLI in Configure mode.
> configure - Add the admin user to the ignore list.
# set user-id-collector ignore-user [ domain\admin admin ]
Another example in standard format:
# set user-id-collector ignore-user [ AD2008\test test ]
To add in a single use, do not use the square brackets
# set user-id-collector ignore-user AD2008\test - Commit the changes
# commit
owner: anatrajan