Admin Username Overrides Actual Usernames in IP-mapping When Using Agentless User-ID with Client Probing

Issue

The agentless User-ID feature is configured with client probing enabled using the server operator and event log reader credentials. When viewing the IP-mapping, the IPs are mapped with the service (admin) username and not the actual username.

Note: Agentless User-ID was introduced in PAN-OS 5.0.

Here is an example of the user-IP mapping table in this scenario:

10.38.135.32   vsys1  AD        domain/admin                    1995       1995

10.39.240.252  vsys1  AD        blr-els-nw-ts-1\administrator   1222       1222

172.16.114.58  vsys1  Unknown   unknown                         0          3

10.38.17.242   vsys1  AD        sw017242\administrator          429        429

10.38.35.31    vsys1  Unknown   unknown                         2          5

10.38.41.125   vsys1  AD        domain/admin                    98         98

10.38.41.124   vsys1  AD        domain/admin                    876        876

10.38.39.79    vsys1  AD        domain/admin                    2169       2169

10.17.58.44    vsys1  AD        odls-win7\administrator         1708       1708

10.38.172.154  vsys1  AD        domain/admin                    1332       1332

10.20.139.164  vsys1  AD        domain/admin                    1803       7

10.38.153.80   vsys1  Unknown   unknown                         1          4

10.38.97.115   vsys1  AD        domain/admin                    227        227

10.38.172.159  vsys1  AD        domain/admin                    1450       1450

10.38.39.243   vsys1  Unknown   unknown                         0          3

The domain/admin above is the user credential with event log reader, server operator, and distributed COM user privileges.

A corresponding userid log may appear as follows:

admin > show log userid direction equal backward

Domain,Receive Time,Serial #,Type,Threat/Content Type,Config Version,Generate Time,Virtual System,ip,User,datasourcename,eventid,Repeat Count,timeout,beginport,endport,datasource,datasourcetype,seqno,actionflags

1,2013/03/19 10:55:23,0009C101625,USERID,login,3,2013/03/19 10:55:23,vsys1,10.38.97.103,domain/admin,probing,0,1,2700,0,0,active-directory,unknown,1861,0x0

1,2013/03/19 10:52:54,0009C101625,USERID,login,3,2013/03/19 10:52:54,vsys1,10.38.45.188,domain/admin,probing,0,1,2700,0,0,active-directory,unknown,1860,0x0

1,2013/03/19 10:52:44,0009C101625,USERID,login,3,2013/03/19 10:52:44,vsys1,10.38.97.120,domain/admin,probing,0,1,2700,0,0,active-directory,unknown,1859,0x0

1,2013/03/19 10:51:34,0009C101625,USERID,login,3,2013/03/19 10:51:34,vsys1,10.38.41.0,domain/admin,probing,0,1,2700,0,0,active-directory,unknown,1858,0x0

1,2013/03/19 10:50:22,0009C101625,USERID,login,3,2013/03/19 10:50:22,vsys1,10.38.61.51,ixia6151\admin,probing,0,1,2700,0,0,active-directory,unknown,1857,0x0

Cause

The client probe is performed using the same username in the event logs of the AD. The admin user probing succeeds for all the IPs that are being probed, and the actual username in the IP-mapping is overwritten with the admin username.

Resolution

Place the admin user in the ignore list to prevent the username from being overwritten.

1. Enter the CLI in Configure mode.
   > configure
2. Add the admin user to the ignore list.
   # set user-id-collector ignore-user [ domain\admin admin ]
   Another example in standard format:
   # set user-id-collector ignore-user [ AD2008\test test ]
   To add in a single use, do not use the square brackets
   # set user-id-collector ignore-user AD2008\test
3. Commit the changes 
   # commit

owner: anatrajan