Unknown IP Rate Limit Mitigation for User-ID Mappings

Unknown IP Rate Limit Mitigation for User-ID Mappings

31670
Created On 09/26/18 13:50 PM - Last Modified 09/25/23 12:42 PM


Symptom


  • Users are not identified and appear as 'unknown' in the firewall’s user-IP mappings. This can result in users matching a wrong rule and cause traffic to be dropped or blocked.
  • The following message appears in the User-ID log (useridd.log):
> tail follow yes mp-log useridd.log

2014-01-20 14:07:45.498 +0100 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for VM1_collector
  • A check on the number of unknown IP-user mappings returns a high value, for example: 
> show user ip-user-mapping all type UNKNOWN option count

Total: 349 users


Environment


  • User-ID IP Mapping
  • All PAN-OS Versions

Cause


Service devices that are neither a component of the corporate domain nor have a real user behind them are often overlooked when designing the User-ID topology. These devices, 'bring your own device' (BYOD) and smart phones, behave as employee workstations and generate sessions to the corporate firewall, creating additional stress on the User-ID topology. Smart phones double the number of users that need to be identified and matched to the correct security policy. Because of this scenario, it is possible to reach the limit for unknown IP addresses and User-ID agents probed on the Palo Alto Networks firewall.

This process happens when the rate of sending queries for unknown IP addresses from the firewall to the User-ID Agent becomes over 100 unknown IP addresses per second. In the time when this log is generated, the firewall has many unknown IP addresses in the user-IP mappings. At this point, if any request for an unknown IP address needs to be sent to the User-ID Agent, the query is dropped and the mapping is not requested from the User-ID Agent.

Note: The limit on the firewall is 100 requests for unknown IP addresses per second, which is a high rate even for the largest implementations. Most users, with even the default settings, likely don't notice this issue during the lifespan of the firewall.

The rate limiting normally lasts for a couple of seconds (depending on the network) and the administrator can see the rate limiting being removed in the same log file (useridd.log):

2014-01-20 14:07:45.498 +0100 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for VM1_collector

2014-01-20 14:07:47.504 +0100 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 76, disable rate limiting for VM1_collector

Running the same operational command after the rate-limiting is finished results in a significantly smaller number of unknown users. For example:

> show user ip-user-mapping all type UNKNOWN option count

Total: 21 users

During that period (2 seconds in the above example), all users that needed IP-user mapping were discarded. The rate-limiting period is small and the “unknown” ip-user-mappings have significantly smaller expiration timers than the identified users. However, it is possible that users are matched to wrong rules due to this limiting process. This will be accompanied by unusual traffic logs, where a user is mapped as a source of traffic, followed by an “unknown” user as a source from the same IP address, then later followed by the user being correctly mapped again. The process depends on the activity of the user. If the user initiates another session, then a new request is sent to the User-ID Agent because the firewall has “unknown” user assigned to that IP address. The agent replies with the mapping.

The high rate of unknown user-IP requests from the firewall can occur when there are many systems that don't have users behind them. They include IP phones, mobile phones, printers, wireless access points, servers and workstations that are not part of the domain, and other machines used in the corporation. Since these devices are frequently initiating sessions and don't have users behind them, the Palo Alto Networks firewall is constantly trying to map them.

Resolution


To resolve the issue, use the User Identification ACLs on the zones where the User Identification is enabled.

  1. Go to NetworkZones.
  2. Select the zone where the user identification is enabled.
  3. Add an exclude or/and include list, if needed. Both lists are empty by default, which means that the firewall attempts to identify users behind all IP addresses that generate traffic. If the include list is empty, the firewall includes all the IP addresses, except those on the exclude list.
    image.png

To review the zone configuration, see the same setup on the CLI. For example:

> configure

# show zone Trust-L3

Trust-L3 {
  network {
    layer3 [ ethernet1/2 loopback.4 vlan.30];
  }
enable-user-identification yes;
  user-acl {
    exclude-list [ 10.2.13.0/24 10.8.97.0/27 172.120.5.0/25 Androids "http servers dynamic group" iPhones];
  }
}

 

This limits the number of requests that the firewall sends to the User-ID Agent, by not showing any interest for the objects given in the exclude list. Users behind those addresses aren't identified and don't appear in the logs. The list can have IP addresses, networks, objects, or object groups (static or dynamic).

Additional Information


See below for some FAQ's and more information about this issue:

  • What is the actual impact of Userid enabling rate-limiting for unknown IPs?  
    1. The PA is rate-limiting the send requests for ip-user-mapping because there are more than 100 unknown-users per second generating traffic that was hitting the DP.
    2. The rate-limiting period is small and the “unknown” ip-user-mappings have significantly smaller expiration timers than the identified users. However, it is possible that users are matched to wrong rules due to this limiting process. This will be accompanied by unusual traffic logs, where a user is mapped as a source of traffic, followed by an “unknown” user as a source from the same IP address, and then later followed by the user being correctly mapped again. The process depends on the activity of the user. If the user initiates another session, then a new request is sent to the User-ID Agent because the firewall has “unknown” user assigned to that IP address. The agent will reply with the mapping.
  • Are there any mitigations available besides zone include/exclude ACLs that we should know about? 
    1. Global on Firewall
      1. You may want to use the feature below but this only implies to the user-ip mapping that you would like to learn.
        • Define Subnetworks to Include/Exclude for User Mapping
        • Device > User Identification > User Mapping
        • Use the Include/Exclude Networks list to define the subnetworks that the User-ID agent will include or exclude when performing IP address-to-username mapping (discovery).
      2. Per Zone on Firewall w/UserID enabled on it:
        1. See documentation in current article
        2. BIG CAVEAT - From the Online Help:
          • "If you add entries to the Exclude List but not the Include List, the firewall excludes user mapping information for all subnetworks within the zone, not just the subnetworks you added."
          • We are including the RFC1918 networks in the Include List since the excludes have precedence over the includes.
  • Is there a "nerd knob" that can be adjusted on larger platforms to raise the threshold? 
    1. No, the Rate is hardcoded to 100 unknown-users per second regardless of platform
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cls9CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language