Management Articles

Featured Article
Palo Alto Networks suggests using the following settings for port allocation on the Terminal Server Agent:     If the Port Allocation Start Size per User is set to 400 and the Port Allocation Maximum Size per User is set to 4000, each time a user takes up 400 ports the TS-Agent will allocate another 400 ports until the max of 4000 is reached, at which point the allocation will fail. If a user application connects and closes a connection to the same destination port multiple times in a very short time, the source ports can be used to connect to another destination port.   If the "TCPTImedWaitDelay" on the Windows server hasn't expired from the previous connection, the same destination port cannot be used. The TCPTimedWaitDelay can be decreased to a smaller value (valid range is 30-300 seconds, default is 240) to free up the destination port.   It is also possible to decrease the Port Allocation Start Size Per User and the Port Allocation Maximum Size per User if there is a need to free up ports to allow more user connections.   The Source Port Allocation Range can be configured between 1 - 65535, but it is also required to reserve the server source ports (Reserved Source Ports) to ensure they aren't allocated to users. You can verify the user-to-port-range mapping by viewing the TS-Agent Monitor to determine current users and port allocations.   Refresh the count by clicking the Refresh Ports Counts.     owner: panagent
View full article
nrice ‎09-14-2018 12:02 PM
10,764 Views
0 Replies
1 Like
Overview The Include/Exclude list is applied to networks and hosts identified through the User-ID Agent.  The User-ID Agent tries to identify users for the IP range designated as Include.  Likewise, the User-ID Agent does not identify users for the network address range designated as Exclude.  Note that this is different from the user and group ignore lists, and is only concerned with which networks to include or exclude for the purposes of mapping users.   Details If the Include/Exclude list is empty, users on any network can be identified and mapped by the User-ID Agent.  When an entry is added to the Include list, there is an implicit deny for any other IP address.  The order of entries in the Include/Exclude list is important, as the list is processed top to bottom.   For example, to configure the exclusion of subnet (192.168.1.0/24) in the larger subnet (192.168.0.0/16): Add a specific subnet 192.168.1.0/24 and designate as Exclude. Add the larger, encompassing subnet 192.168.0.0/16 and designate as Include. Note: If the rules in the above example were reversed with the Include rule on top, then the User-ID Agent would allow the mapping on 192.168.0.0/16 then disregard the Exclude rule for 192.168.1.0/24.   See Also How to Change the Include and Exclude Lists with User-ID Agent 4.1   owner: mbutt
View full article
mbutt ‎07-20-2018 11:07 AM
13,454 Views
3 Replies
2 Likes
Overview When using the User-ID Agent to identify users on the network, there is a way to ignore certain users. Generally, this is used for service accounts, but any desired username can be entered.   Steps Stop the User-ID service Modify/create a file ignore_user_list.txt in the directory where User-ID Agent is installed. This file will contain all the users to be ignored. The format of the file needs to be one username on each line. Note: It is sometimes required to have two entries for each username, the normal username and the username with netbios name. user1 mydomain\user1 Start the User-ID service.   Starting from PAN-OS 7.1 the ignore user list can also be configured for the Agentless User-ID through the WebUI   See also   How to Add/Delete Users from Ignore User List using Agentless User-ID   owner: sspringer
View full article
sspringer ‎07-20-2018 09:45 AM
42,572 Views
21 Replies
3 Likes
Overview When using nested user groups, the Palo Alto Networks firewall will be able to return all users within the main group, along with all users within the nested group(s). For example, if the "top_level_group" contains two nested groups: "nested_group_1", and "nested_group2". All queries to the  top_level_group from the firewall will be able to pull back users in the nested groups as well. A security policy can be configured with the "top_level_group", and users from the "nested_group_1" and "nested_group_2" will also be included.   Verification The CLI command: show user group name xxx can be used to display the users within the the group.   The output shows that the "top_level_group" contains users from the "nested_group_1" and "nested_group_2".   > show user group name "cn=top_level_group,cn=users,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com" short name:  pantac2012\top_level_group source type: service source:      panlab2012   [1] pantac2012\panuser1 [2] pantac2012\panuser2 [3] pantac2012\panuser3 [4] pantac2012\panuser10 [5] pantac2012\panuser11 [6] pantac2012\panuser12   > show user group name "cn=nested_group_1,cn=users,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com" short name:  pantac2012\nested_group_1 source type: service source: panlab2012   [1] pantac2012\panuser1 [2] pantac2012\panuser2 [3] pantac2012\panuser3   > show user group name "cn=nested_group_2,cn=users,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com" short name:  pantac2012\nested_group_2 source type: service source: panlab2012   [1] pantac2012\panuser10 [2] pantac2012\panuser11 [3] pantac2012\panuser12     See also Retrieving AD groups fails - nested-group-level exceeds limit   owner: pmak
View full article
pmak ‎06-27-2018 01:58 PM
18,181 Views
5 Replies
Updated May 2018 kiwi   Issue Active Directory servers configured for Agentless User-ID frequently disconnects from the firewall. Connection status for those servers, under the server Monitoring section for User Mapping, keep flapping between connected and not connected. The User-ID logs have the following error message for each configured AD server : Error: pan_user_id_win_sess_query(pan_user_id_win.c:1241): session query for <server name>  failed: [wmi/wmic.c:216:main()] ERROR: Retrieve result data.   Shown in the screenshot below, see the "not connected" status in the Server Monitoring under Device > User Identification > User Mapping> Server Monitoring:   Cause Agentless User-ID is configured to monitor user session information from the servers in the Server Monitoring list. Session query attempts from the firewall to those AD servers are failing due to permission issues. The domain account, used to access the session information, does not have privileges to read the user session information from the servers. The server operators group and Domain Admin groups will include the session query read permissions.   As shown in the example below, go to Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup and click on the setting to find the User Name, which is used to connect the Agentless User-ID to the AD server (172.30.30.15):   As shown in the example below, in the AD Server (172.30.30.15) see the permissions for the user cr7:   Resolution: Option 1: Grant server operators or domain admin privileges to the service account used under WMI Authentication. In the example below, is shows how to add the Server Operator permission to the user cr7: After adding the Server Operator permission to user cr7, from the example below see that the Agentless User-ID is now connected to the AD server: Option 2: If it is not being used, disable the server session read option: owner: knarra
View full article
knarra1 ‎04-27-2018 08:52 AM
38,572 Views
6 Replies
1 Like
Overview Once the username is added to the Ignore User list, it is important to delete the user's IP-mapping (if it already exists) from both the dataplane (DP) and the management plane (MP) after committing the changes. A common mistake is to delete the mapping from the DP, but not from the MP, which pushes the mapping to the DP and the user remains identified.   Details Verify if the user is being ignored by tailing the useridd.log (if using agentless). If using an agent, these logs will be seen in the Uadebug.log file in the User-ID Agent's directory: > tail follow yes mp-log useridd.log Oct 21 11:44:22 pan_user_id_ipuser_add(pan_user_id_ipuser.c:601): user domain\username is in ignore list Oct 21 11:44:22 pan_user_id_ipuser_add(pan_user_id_ipuser.c:601): user domain\username is in ignore list   To turn on debug-level logging for User-ID, run the following commands: > debug user-id on debug > debug user-id set userid basic   Use the commands below to turn off the debug level and the User-ID basic logging, after a specific duration: > debug user-id on info > debug user-id unset all   The following commands can be used to clear the mapping: > clear user-cache-mp ip <IP-address>  //user-cache-mp    (Clear management plane user cache) > clear user-cache ip <IP-address>  //user-cache       (Clear dataplane user cache)   > show user ip-user-mapping ip <ip> No matched record   See Also Refer to the following articles to add or delete users on the Ignore User list when using the Agentless User-ID, or using the User-ID Agent: How to Add/Delete Users from Ignore User List using Agentless User-ID How to Ignore Users in User-ID Agent   owner: apasupulati
View full article
apasupulati ‎04-03-2018 05:17 AM
27,589 Views
0 Replies
1 Like
To upgrade the User-ID agent:   Navigate to services and stop the service User-ID Agent. Navigate to Program Files > Paloalto Networks > User-id agent.  Zip the user-id agent folder and back it up to a different location. Log into support.paloaltonetworks.com and download the latest User-Id Agent. Perform the install. Once the install is done, the latest agent should start running with all the configs retrieved from the previous agent.   owner: mvenkatesan
View full article
mvenkatesan ‎02-12-2018 01:09 AM
16,398 Views
4 Replies
5 Likes
Issue/Symptom  If there is a Group Mapping object with an invalid entry in the Group Include List, then the firewall will not list any of the included groups; in other words, the firewall lists 0 groups. In the snapshot below, the outlined entry in the Group Mapping object defined in Panorama does not actually exist in the Active Directory.   More info This issue was first seen in PAN-OS 7.0.11 and has been resolved in PAN-OS 7.0.12, 7.1.7, and 8.0.0   Per the release notes: PAN-69485 - Fixed an issue where User‐ID group mapping did not retain groups retrieved from Active Directory (AD) servers if there were any invalid groups in the group‐mapping include list.   Resolution The resolution is to identify the included group that no longer exists and remove it from the Group Include List. From the WebGUI > Device > User Identification > Group Mapping Settings, Click on the profile name to see the Group Mapping window. From there you can remove any group that no longer exists.  Figure 1 - The highlight text illustrates a group that doesn't exist in the AD domain. This is a Group Mapping object in Panorama, where all of these entries were manually entered.   In the following snapshot, we are looking at the Group Mapping object directly on the firewall that was pushed down from Panorama. Figure 2 - Example of a previously included group which no longer exists This snapshot is illustrating an instance where a previously included group no longer exists under the Santa Clara OU (organizational unit), where it was once before.   Addressed in  PAN-OS 8.0 This issue has been addressed in PAN-OS 8.0. Here you see that even though “jerryskids” is included, as illustrated in Figure 2, it does not affect the firewall’s ability to obtain information about the other four included groups. admin@Labvm> show user group-mapping statistics Name         Vsys    Groups Last-Action(secs)                Next-Action(secs)     ---------------------------------------------------------------------------     PANTAC2012   vsys1   4      521 secs ago(took 0 secs)        In 3079 secs          admin@Lab196-13-PA-VM> show user group list  cn=dev,ou=santa clara,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com cn=de,ou=santa clara,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com cn=tier2,ou=santa clara,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com cn=tier3,ou=santa clara,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com Total: 4 * : Custom Group admin@Lab196-13-PA-VM> show user user-ids match-user jjosephs User Name                       Vsys    Groups ------------------------------------------------------------------ pantac2012\jjosephs             vsys1                           cn=de,ou=santa clara,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com Total: 13 * : Custom Group   Addressed in  PAN-OS 7.0.11 In contrast to 8.0, 7.0.11 does not have the ability to get past the unknown group and therefore loses information about all previously known groups. admin@LabVM> show user group-mapping state all Group Mapping(vsys1, type: active-directory): PANTAC2012         Bind DN    : pantac2012\administrator         Base       : DC=pantac2012,DC=gcs,DC=paloaltonetworks,DC=com         Group Filter: (None)         User Filter: (None)         Servers    : configured 1 servers                 10.46.48.132(389)                 Query Local Group Mapping Service:                         Last Action Time: 2 secs ago(took 0 secs)                         Next Action Time: To be started         Number of Groups: 0 admin@LabVM> show user group list Total: 0 * : Custom Group   However, once the error has been corrected and the unknown group is removed from the Included Groups list, PAN-OS 7.0.11 recovers immediately and displays information regarding the list of groups and members of groups. admin@LabVM> show user group-mapping state all Group Mapping(vsys1, type: active-directory): PANTAC2012         Bind DN    : pantac2012\administrator         Base       : DC=pantac2012,DC=gcs,DC=paloaltonetworks,DC=com         Group Filter: (None)         User Filter: (None)         Servers    : configured 1 servers                 10.46.48.132(389)                 Query Local Group Mapping Service:                         Last Action Time: 255 secs ago(took 1 secs)                         Next Action Time: In 3345 secs         Number of Groups: 4         cn=de,ou=santa clara,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com         cn=tier3,ou=santa clara,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com         cn=dev,ou=santa clara,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com         cn=tier2,ou=santa clara,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com admin@LabVM> show user group name "cn=de,ou=santa clara,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com" short name:  pantac2012\de  source type: service source:      PANTAC2012 [1     ] pantac2012\fmehmood [2     ] pantac2012\jbomers [3     ] pantac2012\jjosephs [4     ] pantac2012\nanderson [5     ] pantac2012\nnayak  
View full article
jjosephs ‎11-21-2017 01:24 PM
2,123 Views
0 Replies
Symptoms There are two settings for source port allocation under Palo Alto Networks TS agent System Source Port Allocation Range: Displays the port range for system processes that are not associated with individual users. Format is low-high (default 1025-5000). Source Port Allocation Range: This range of ports will be allocated to the user sessions. This setting controls the source port allocation for processes belonging to remote users (default 20000-39999). If a port allocation request comes from system services that cannot be identified as a particular user process, the TS agent lets the system allocate the source port from the system port range, excluding system reserved source ports.   Issue If the user establishes a console connection to the server where the TS is installed or does an administrative login via  RDP connection (with a " /admin" switch), that user will be always unknown.   What is happening/explanation The /admin switch bypasses the Terminal Server software and just hits the built-in RDP functionality that comes with every install of server. The switch will cause the RDP session to bypass the Terminal Services which are used to run administrative tasks on the TS and thus utilizes "System Source Port Allocation Range" The Terminal Server maps the ip-address to the source port from the "Source Port Allocation Range" hence the domain user who logs in administratively will always remain unknown.   owner: ppatel
View full article
ppatel ‎11-21-2017 12:20 PM
7,176 Views
5 Replies
Issue When using a group in the "allow list" for the authentication profile that Global Protect uses, the login attempt fails with the following error: "Reason: User is not in allowlist"   However, the login works fine if the allow list is set to "all" in the authentication profile.   Resolution Confirm that the group you are using is in the include list in a Group Mapping configuration under Device > User Identification > Group Mapping Settings: Group Mapping Confirm that the group in question contains the user attempting to login. Run the CLI command: show user group name <value> For example: > show user group name pantac\vpn-user short name:  pantac\vpn-user source type: ldap source:      Pantac2003 [1     ] pantac\user1 [2     ] pantac\admin1 [3     ] pantac\administrator [4     ] pantac\user2 [5     ] pantac\user4 Confirm that the LDAP server profile used for your Group Mapping and your Global Protect authentication profile contain the Netbios domain name (short name) in the domain field. Do not use the DNS name for the domain (domainname.com) In most cases this is the same profile. This can also be left blank in many cases. The LDAP server profile is under Device > Server Profiles > LDAP In PAN-OS 7.0 and later, the domain section was moved to Device > User Identification > Group Mapping Settings :  User Domain   In PAN-OS 8.0 the User Domain can also be controlled in the Authentication Profile User Domain in the Authentication Profile Confirm that the group name in the allow list in the Global Protect authentication profile is listed with the long name of the group. This value can be pasted into this value from the output of the "show user group list" CLI command. Authentication Profile Allow List   owner: jteestel
View full article
jteetsel ‎11-20-2017 05:04 AM
91,297 Views
23 Replies
1 Like
Overview Palo Alto Networks firewall can be configured as a collector and redistribute user mapping information to other Palo Alto Networks firewalls on your network. This document describes how to configure a redistribution firewall and verify the configuration from the CLI.   Note: Only the user mapping information collected by the agentless User-ID (PAN-OS User Mapping) feature will be redistributed to the other firewalls. If you have multiple firewalls that need to pull mappings from collector, all of them should specify the collector name in the user id agent tab. The collector will not redistribute the mappings from terminal server - this is expected behavior.   Steps Navigate to Device > User Identification In the User Mapping tab, click the edit icon Configure the collector from the Redistribution tab by entering a Collector Name and a Pre-Shared Key. This information is used by the firewalls that will pull user mapping information. Check for the Collector Name on the Device > User Identification > User Mapping tab. The image below also shows that user mapping has been configured for an Active Directory server. Ensure the User-ID service is enabled on a Management Interface profile Navigate to Network > Network Profiles > Interface Mgmt Open the profile applied to the appropriate interface or add a new profile Enable the User-ID Service in the profile Note: If you are using a Dataplane interface, configure a service route for that interface on the UID Agent selection.         9. Commit the changes. This completes the configuration of the collector.   Configure a Palo Alto Networks firewall to retrieve the IP-user mappings from the collector. Navigate to the User-ID Agents tab at Device > User Identification Click Add and enter values into the fields. The Collector Name and Pre-Shared Key fields should be the same as on the collector. The firewall will connect to collector on port 5007. This cannot be modified. Commit the changes. The user mappings from Collector will appear on the firewall.   Verification The following CLI commands can be used to verify that the collector service is up and the user mapping information is received on the other Palo Alto Networks firewalls. On the collector, display the status of the User-ID service > show user user-id-service status Display the clients/firewalls that are connected to the collector > show user user-id-service client all Display the IP-user mapping on the collector > show user ip-user-mapping all On the firewall which receives information from the collector, display the IP-user mapping > show user ip--user-mapping all   See also   User-ID Best Practices - PAN-OS The collector will redistribute user-ip mappings learned through GlobalProtect.GlobalProtect Users Appear as Coming From User-ID Agent in IP-User Mapping   owner: sdarapuneni
View full article
zarina ‎10-04-2017 11:59 AM
32,911 Views
6 Replies
Overview For IP-to-user mappings, many networks have more than one monitored Active Directory or Domain Controller for data redundancy. Troubleshooting user mapping issues may be harder if the source of a particular user mapping is unknown. This document presents how to use the >  show log userid  command to obtain useful information regarding user mapping information, including how the user mapping was learned by the firewall.   Steps As an example, one User-ID agent (Agent243) and one Agentless User-ID (Agentless243) are configured on the firewall. Verify the configured sources from which you are learning user mappings. For User-ID Agents hosted on a Windows machine, use the command: > show user user-id-agent statistics For agentless User-ID configured on the firewall, use the following command: > show user server-monitor statistics Verify the user mappings that are currently learned on the firewall, using either of these commands. For all known mappings on the firewall: > show user ip-user-mapping all For user mappings to a specific IP - Example 1.1.1.1: > show user ip-user-mapping ip 1.1.1.1 Once you know enough about the configured data sources or users, you can use the >  show log userid command to derive more useful information about the user mappings. Note: Debug mode should be enabled on the User-ID process for in-depth logging Enabled debug mode > debug user-id log-ip-user-mapping yes Disable debug mode after acquiring the desired logs > debug user-id log-ip-user-mapping no   Examples of using the show log userid command: Determine the most recent addresses learned from the agenless user-id source: > show log userid datasourcename equal Agentless243 direction equal backward Domain,Receive Time,Serial #,Type,Threat/Content Type,Config Version,Generate Time,Virtual System,ip,User,datasourcename,eventid,Repeat Count,timeout, beginport,endport,datasource,datasourcetype,seqno,actionflags 1,2013/10/17 17:31:05,0006C114479,USERID,login,4,2013/10/17 17:31:05,vsys1, 10.66.22.60,plano2008r2\userid,Agentless243,0,1,2700,0,0,active-directory, unknown,4434,0x0 1,2013/10/17 17:29:58,0006C114479,USERID,login,4,2013/10/17 17:29:58,vsys1, 10.66.22.85,plano2008r2\ldapsvc,Agentless243,0,1,2700,0,0,active-directory, unknown,4342,0x0     Determine the most recent mappings received for IP address 192.168.40.212: > show log userid ip in 192.168.40.212 direction equal backward Domain,Receive Time,Serial #,Type,Threat/Content Type,Config Version,Generate Time,Virtual System,ip,User,datasourcename,eventid,Repeat Count,timeout, beginport,endport,datasource,datasourcetype,seqno,actionflags 1,2013/10/17 17:09:33,0006C114479,USERID,login,3,2013/10/17 17:09:33,vsys1, 192.168.40.212,plano2008r2\tasonibare,Agent243,0,1,3600,0,0,agent,unknown,18, 0x0   Determine the mappings that were identified through kerberos authentication: > show log userid datasourcetype equal kerberos   Determine the earliest recent mappings received for user 'piano2008r2\userid' > show log userid user equal 'piano2008r2\userid' Domain,Receive Time,Serial #,Type,Threat/Content Type,Config Version,Generate Time,Virtual System,ip,User,datasourcename,eventid,Repeat Count,timeout, beginport,endport,datasource,datasourcetype,seqno,actionflags 1,2013/10/17 17:09:33,0006C114479,USERID,login,3,2013/10/17 17:09:33,vsys1, 10.66.22.87,piano2008r2\userid,Agent243,0,1,3600,0,0,agent,unknown,8,0x0 1,2013/10/17 17:11:54,0006C114479,USERID,login,4,2013/10/17 17:11:54,vsys1, 10.66.22.87,piano2008r2\userid,Agentless243,0,1,2700,0,0,active-directory, unknown,21,0x0 Note: The command above includes the domain and the username in quotes and the direction keyword was left out. This user has also been learned from both the agentless and user-id agent sources.   Show all logs related to userid: > show log userid   owner: tasonibare
View full article
tasonibare ‎07-26-2017 03:10 PM
22,170 Views
5 Replies
1 Like
Issue While using agentless User-ID setup, the status shows as Access denied under Server Monitoring:   Cause Check the useridd.log Run the following command: > less mp-log useridd.log Go to the end of the file by pressing Shift+G on the keyboard. If the following error appears in the logs, the problem is likely caused by a permissions issue: log query for snt016 failed: [wmi/wmic.c:200:main()] ERROR: Login to remote object. Also, if the error "NT_STATUS_NET_WRITE_FAULT" appears in the log entries, this indicates a that special character is used in the password of the service account. This password needs to be reset.   Resolution Refer to the following document for the correct setup of the Agentless User-ID: How to Configure Agentless User-ID   Check permission settings on Windows 2008/2012 server for WMI event log access by the agentless User-ID: All device users are assigned to a group. This group should be created as a “Universal group”, so it can be used across multiple domains. The newly created group should be added to the built-in group, “Event Log Readers”, to allow reading of security logs of the Active Directory Domain Controller or Microsoft Exchange Server. It should also be added to the “Distributed COM Users” user group to allow remote login via DCOM. If the the user group should be allowed to access the security logs of all domain servers, a corresponding permission can be set via Microsoft Active Directory Group Policy Objects.   WMI Permissions For Windows 2008/2012 server, the permission system to access servers and local resources remotely has been dramatically changed from prior versions. These changes require certain permissions of the WMI APIs in order for User-ID to access security event logs remotely. On the specific Windows Servers that need to monitored, open the WMI management console (“wmimgmt.msc”). Select the local WMI Controls properties, and edit the “Security” settings. Navigate to the “CIMV2” section and click “Security”. Add the user group created for the firewall users to the list of authorized users and groups, and enable the “Enable Account”, “Remote Enable” and "Read Security" permissions. GPO Settings Alternatively, in order to allow the newly created user group to access ALL security logs across all domain servers, set the corresponding Group Policy Object instead of individually adding the group to the local groups. This is required, since this permission is a local permission on the servers of the domain. Refer to the following document for the setup of GPO: Using Active Directory GPO to Install the Global Protect Client.   If the issue is still not resolved, take packet captures on the Domain Controller to determine the failed authentication and contact Palo Alto Networks support.   owner: pvemuri
View full article
pvemuri ‎07-06-2017 05:51 AM
62,416 Views
11 Replies
4 Likes
Overview When it comes to authenticating users based on the user-groups, most of the deployments make use of LDAP authentication profile. This document describes the configuration that is required on the Palo Alto Networks firewall and sheds some light on how to pull the Palo Alto Networks User Group Attribute to ensure successful user-group based VPN authentication using secure RSA.   prerequisite: group information on the Palo Alto Networks firewall needs to be populated through an LDAP profile as described in this article: How to Configure Active Directory Server Profile for Group Mapping and Authentication before starting these configuration steps   Steps Go to Device > Server Profiles > RADIUS and add a RADIUS server. Go to Device > Authentication Profile and create a RADIUS authentication profile by referencing the RADIUS server profile created in Step 1. Shown in the above screenshot, see that although we have referenced the LDAP user groups in the allow list, we are making use of RADIUS server profile to relay the Authentication request to the RADIUS server. Please note that Authentication will NOT happen on the Palo Alto Networks firewall. Instead, it takes place on the RADIUS server. As a result, the RADIUS server should have the capability to pass the user-group information highlighted in the below screenshot, which is possible through "Palo Alto Networks Dictionary file".   Palo Alto Networks Dictionary installs on the RADIUS server and defines authentication attributes needed for communication between a Palo Alto Networks firewall and the RADIUS server.   See Also To download the dictionary file and for more information, reference the following link: RADIUS Dictionary   owner: tshivkumar
View full article
tshiv ‎06-30-2017 03:11 AM
6,835 Views
0 Replies
2 Likes
Symptoms This document provides a walk through into policy enforcement based on user groups retrieved from Active Directory   Pre-requisites You should have a working knowledge of:   Active Directory   User-Id feature on the Palo Alto Networks firewall   Components Used The information in this document is based on these software and hardware versions:   Palo Alto Networks VM firewall running PANOS 7.1.7     Active Directory Services running on Microsoft 2012 r2 server, configured as a Domain controller   The information in this document was created from the devices in a specific lab environment. If your network is live, make sure that you understand the potential impact of any command   Consider a security policy which is configured with groups retrieved from active directory domain controllers using LDAP The policy appears as below, with the groups configured under the "user" section Let us take a look how does the PAN firewall enforce policies based on the groups configured in the security policies  Diagnosis Workflow            1.  The firewall performs a top down lookup through the policy rulebase to find a match and uses the group as one of the key fields.    2.  The User-id feature on the Palo Alto Networks firewalls enumerates usernames with ip address. It fetches the IP address from the source IP address field of the IP header of the packets, ingressing on the security zone of the firewall where user-id feature is enabled   Consider the security policy above which is configured with groups named "captive portal" and "sme_group" retrieved from active directory using LDAP , under the "user" section In the above example the security policy is configured from zone "dmz" or "trust" hence it is imperative that user-id should be enabled on these security zones   3.  Once enabled the firewall attempts to resolve the username for every IP address during the session installation phase, also known as 'slowpath' For username to ip mapping it may leverage any of the methods such as  Software based User-id agent , PANOS or Agentless userid, Syslog, XMLAPIs or Captive Portal etc 4.  Once the firewall gets the username corresponding to the source IP address of the packet the next step is to determine the groups to which this user belongs In most of the enterprises firewall retrieves groups from active directory domain controllers using LDAP 5.  Now it compares the username from the username-ip cache with the username in the group-mapping cache on the Data Plane 6.  If the username exactly matches between the two caches then the firewall is able to determine the IP address with it's username and its corresponding group membership With the group name or membership retrieved it can perform a top down policy look up to find a matching policy Solution Troubleshooting and Checklist    1. Ensure that groups are retrieved from active directory      In this scenario the two groups namely captive_portal and sme_group are retrieved from Active directory      2.  Check the membership within these groups       In this you can explicitly look for the users which are a part of the group "sme_group" or similarly for "captive_portal" 3. Group-mapping cache showing the membership of the users with the respective groups it belongs to on the active directory      4. Note the username and its format in the user-ip cache on the data plane (DP)       It's the same as the one in the group-mapping cache         Since the username "test\testuser" in the ip-user cache matches exactly with the username in the group-      mapping cache so the firewall can find all the policies where these groups are being used         Look closely at the "Groups that the user belongs to (used in policy)" section and the groups under it      It lists all the groups to which the user "test\testuser" belongs and which are referenced in the policies        If the username were not to be a mis-match then these groups would not be present    Please refer Avoid fetching duplicate groups in group-mapping profile for more information on this
View full article
kbiswas ‎05-04-2017 12:09 PM
3,444 Views
0 Replies
With agentless User-ID, the user mappings are directly obtained by the queries made by the firewall itself on the domain controller.   The IP-user mapping logs can be viewed by performing the steps below.   Steps Turn on logging for ip-user mapping > debug user-id log-ip-user-mapping yes View the log > show log userid 1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1, 172.17. 128.92,plano2008r2\administrator,test,0,1,2700,0,0,active-directory,unknown,1,0x0 1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17. 128.92,plano2008r2\administrator,test,0,1,2700,0,0,active-directory,unknown,2,0x0 1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17. 128.92,plano2008r2\administrator,test,0,1,2700,0,0,active-directory,unknown,3,0x0 1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17. 128.92,plano2008r2\administrator,test,0,1,2700,0,0,active-directory,unknown,4,0x0 Turn off logging > debug user-id log-ip-user-mapping no   See also For more information on User-ID, please see the following link: User-ID resource list   owner: anatrajan
View full article
Chatri ‎04-24-2017 03:06 AM
8,851 Views
5 Replies
Issue When authentication attempts exceed the number of permitted failed attempts, the user will be in a locked state, and the error message below will appear in the authd logs:   "pan_authd_generate_alarm(pan_authd.c:808): Generating alarm for auth failure log: Admin jai failed to authenticate 2 times - the unsuccessful authentication attempts threshold reached. Admin jai's account is being disabled due to excessive failed authentication attempts".   Cause If the user tries to authenticate for the first time, and if the Failed Attempts is configured to 2 and the Lockout Time is configured to 10 minutes, it will check the first Profile. If the attempt fails it will then check "Profile 2", and if that too fails, then the user will be pushed into a locked state for a brief moment, which is specified in the Lockout Time.   f Failed Attempts is configured to 3, it will check profile "Profile" for the first attempt, then profile "Profile 2" for the second attempt and then finally again profile "Profile" for the third attempt. If a user has 2 Authentication Profiles and if the failed attempts is configured as 1, then the second profile "Profile 2" will not even be evaluated and the user will be immediately moved to the locked state.   Go to Device > Authentication Sequence, as shown below:   Note: If the lockout time is configured as 0 minutes, then the user will not be unlocked after a specific amount of time, but will need to be unlocked manually by an administrator via the Device > Administrators tab for administrators and Device > Authentication Profile for other users.   When users are locked, the logs below appear when running the following CLI command: > tail follow yes mp-log authd.log   After two attempts, the user is disabled and put into a locked state:   The syslog generates the following logs, which suggests the account is locked and placed in the locked users list:   Resolution Go to Device > Authentication Profile. On the last column,"Locked Users," click the Unlock icon: The user will be unlocked as shown below: The user can also be unlocked under Device > Administrator:   owner: dantony
View full article
dantony ‎04-06-2017 12:05 AM
13,959 Views
0 Replies
    Overview Service devices that are neither a component of the corporate domain nor have a real user behind them are often overlooked when designing the User-ID topology. These devices, 'bring your own device' (BYOD) and smart phones, behave as employee workstations and generate sessions to the corporate firewall, creating additional stress on the User-ID topology. Smart phones double the number of users that need to be identified and matched to the correct security policy. Because of this scenario, it is possible to reach the  limit for unknown IP addresses and User-ID agents probed on the Palo Alto Networks firewall.   Issue Users are not identified and appear as 'unknown' in the the firewall’s user-IP mappings. This can result in users matching a wrong rule and cause traffic to be dropped or blocked. The following message appears in the User-ID log (useridd.log): > tail follow yes mp-log useridd.log 2014-01-20 14:07:45.498 +0100 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for VM1_collector   A check on the number of unknown IP-user mappings returns a high value, for example:  > show user ip-user-mapping all type UNKNOWN option count Total: 349 users   Cause This process happens when the rate of sending queries for unknown IP addresses from the firewall to the User-ID Agent becomes over 100 unknown IP addresses per second. In the time when this log is generated, the firewall has many unknown IP addresses in the user-IP mappings. At this point, if any request for an unknown IP address needs to be sent to the User-ID Agent, the query is dropped and the mapping is not requested from the User-ID Agent. Note: The limit on the firewall is 100 requests for unknown IP addresses per second, which is a high rate even for the largest implementations. Most users, with even the default settings, likely don't notice this issue during the lifespan of the firewall.   The rate limiting normally lasts for a couple of seconds (depending on the network) and the administrator can see the rate limiting being removed in the same log file (useridd.log): 2014-01-20 14:07:45.498 +0100 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for VM1_collector 2014-01-20 14:07:47.504 +0100 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 76, disable rate limiting for VM1_collector   Running the same operational command after the rate-limiting is finished results in a significantly smaller number of unknown users. For example: > show user ip-user-mapping all type UNKNOWN option count Total: 21 users   During that period (2 seconds in the above example), all users that needed IP-user mapping were discarded. The rate-limiting period is small and the “unknown” ip-user-mappings have significantly smaller expiration timers than the identified users. However, it is possible that users are matched to wrong rules due to this limiting process. This will be accompanied by unusual traffic logs, where a user is mapped as a source of traffic, followed by an “unknown” user as a source from the same IP address, then later followed by the user being correctly mapped again. The process depends on the activity of the user. If the user initiates another session, then a new request is sent to the User-ID Agent because the firewall has “unknown” user assigned to that IP address. The agent replies with the mapping.   The high rate of unknown user-IP requests from the firewall can occur when there are many systems that don't have users behind them. They include IP phones, mobile phones, printers, wireless access points, servers and workstations that are not part of the domain, and other machines used in the corporation. Since these devices are frequently initiating sessions and don't have users behind them, the Palo Alto Networks firewall is constantly trying to map them.   Resolution To resolve the issue, use the User Identification ACLs on the zones where the User Identification is enabled. Go to Network >  Zones. Select the zone where the user identification is enabled. Add an exclude or/and include list, if needed. Both lists are empty by default, which means that the firewall attempts to identify users behind all IP addresses that generate traffic. If the include list is empty, the firewall includes all the IP addresses, except those on the exclude list.   To review the zone configuration, see the same setup on the CLI. For example: > configure # show zone Trust-L3 Trust-L3 {   network {     layer3 [ ethernet1/2 loopback.4 vlan.30];   } enable-user-identification yes;   user-acl {     exclude-list [ 10.2.13.0/24 10.8.97.0/27 172.120.5.0/25 Androids "http servers dynamic group" iPhones];   } }   This limits the number of requests that the firewall sends to the User-ID Agent, by not showing any interest for the objects given in the exclude list. Users behind those addresses aren't identified and don't appear in the logs. The list can have IP addresses, networks, objects, or object groups (static or dynamic).   FAQ- More Info See below for some FAQ's and more information about this issue: What is the actual impact of Userid enabling rate-limiting for unknown IPs?   The PA is rate-limiting the send requests for ip-user-mapping because there are more than 100 unknown-users per second generating traffic that was hitting the DP. The rate-limiting period is small and the “unknown” ip-user-mappings have significantly smaller expiration timers than the identified users. However, it is possible that users are matched to wrong rules due to this limiting process. This will be accompanied by unusual traffic logs, where a user is mapped as a source of traffic, followed by an “unknown” user as a source from the same IP address, and then later followed by the user being correctly mapped again. The process depends on the activity of the user. If the user initiates another session, then a new request is sent to the User-ID Agent because the firewall has “unknown” user assigned to that IP address. The agent will reply with the mapping. Are there any mitigations available besides zone include/exclude ACLs that we should know about?  Global on Firewall You may want to use the feature below but this only implies to the user-ip mapping that you would like to learn. Define Subnetworks to Include/Exclude for User Mapping Device > User Identification > User Mapping Use the Include/Exclude Networks list to define the subnetworks that the User-ID agent will include or exclude when performing IP address-to-username mapping (discovery). Per Zone on Firewall w/UserID enabled on it: See documentation in current article BIG CAVEAT - From the Online Help: "If you add entries to the Exclude List but not the Include List, the firewall excludes user mapping information for all subnetworks within the zone, not just the subnetworks you added." We are including the RFC1918 networks in the Include List since the excludes have precedence over the includes. Is there a "nerd knob" that can be adjusted on larger platforms to raise the threshold?  No, the Rate is hardcoded to 100 unknown-users per second regardless of platform.   owner: ialeksov
View full article
ialeksov ‎04-03-2017 02:30 PM
10,241 Views
1 Reply
4 Likes
This article is out of date and no longer valid.  A Newer article exists here: How Does the Device Manage Offloaded Session?
View full article
sjamaluddin ‎03-22-2017 09:12 AM
10,612 Views
0 Replies
1 Like
Overview This document is focused on a change made in Terminal Services Agent 7.0.7 .  The change is documented in the release notes and Palo Alto Networks security advisor (PAN-SA-2017-0002). From the release notes: "A security‐related fix was made to address a spoofing vulnerability. (CVE‐2017‐5328 / PAN‐SA‐2017‐0002)"   Problem Description Prior to Terminal Services Agent (TS Agent) version 7.0.7, custom script running in 'user' context could be able to reserve arbitrary source port, circumventing TS Agent source port allocation range. This was fixed with the change made in TSA 7.0.7 .  All 'user' triggered applications are now being assigned source ports from respective TS Agent source port range.   Reverting to behavior prior to TS Agent 7.0.7 Some of the deployments were relying on their custom application(s) being able to reserve specific source ports, outside of the TS Agent range, to function properly. Because of this, new registry key was added in version 7.0.7, which can  enable same behavior as in previous TS Agent releases (while running the latest TS agent):   Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\TS Agent\Adv\HonorSrcPortRequest     Based on the configured value, we can choose one of the 3 behaviors: 0: Ignore all application-specified source port requests and allocate the port from respective TS Agent source port range (default 7.0.7 behavior) 1: Honor application-specified source port requests only if the port is not within the source port allocation range for the interactive user sessions 2: Honor all application-specified source port requests.   Setting the value to "2" will make the agent behave same way as it was prior to version 7.0.7.  Setting the value to "1" will allow customer applications/scripts to reserve arbitrary port, only if it is outside TS agent port range meant for interactive user sessions (usually 20000-39000).   After changing registry setting, no restart is required. TS Agent 'debug.log' will immediately show the change. For example: 03/09/17 23:44:04[Info 1829]: Load advanced config HonorSrcPortRequest 1. 03/09/17 23:44:21[Info 1829]: Load advanced config HonorSrcPortRequest 0.  
View full article
nimark ‎03-15-2017 09:59 AM
4,531 Views
1 Reply
2 Likes
Problem   This article discusses the behaviour of inconsistent "User Name" in group mapping when multiple group mapping profiles are configured on the firewall. For example, there are two group mapping profiles configured, one for fetching the "sAMaccount" and the other for "userPrincipalName". It is observed that the  "User Name"  changes from "userPrincipalName" to "sAMaccount" and vice-versa.     The following section illustrates this behaviour with an example: Group mapping profile to populate User Name with "sAMaccount"       Group mapping profile to populate User Name with "userPrincipalName"     Here a test user with following parameters is present on the Active directory   "userPrincipalName"   :  dennis.lee@lab333.local "sAMaccount"            :  lab333\dlee     Initial mapping for the user shows the  "userPrincipalName" being fetched   PA-VM-1> show user user-ids User Name             Vsys      Groups ------------------------------------------------------------------ lab333\dennis.lee     vsys1     cn=support-group,ou=user-groups,ou=departments,dc=lab333,dc=local Total: 1 * : Custom Group     An manual refresh of the group with sAMaccount overwrites the UPN with the sAMaccount   PA-VM-1> debug user-id refresh group-mapping group-mapping-name AD-10.129.80.115-sAMaccount PA-VM-1> show user user-ids User Name          Vsys       Groups ------------------------------------------------------------------ lab333\dlee       vsys1      cn=support-group,ou=user-groups,ou=departments,dc=lab333,dc=local Total: 1 * : Custom Group     Solution   This behaviour is seen because the group mapping profile is fetching the users for the same group and  the profile refreshing last overwrites the previous mapping.   If the requirement is to have a consistent User Name attribute for the user belonging to the group, it is advised to use a single group mapping profile.  
View full article
syadav ‎01-27-2017 08:37 AM
3,112 Views
0 Replies
This document provides resolution for the error "get-ldap-data failure"  repeatedly in the system logs.   Issue Getting the error "get-ldap-data-failure" in the system logs every few minutes.     Cause This issue is caused when the firewall is trying to fetch the group information from the AD and the group is no longer present on the AD.   Resolution In the command line, type less mp-log useridd.log. Look for the below error with the timestamp from the sytem logs   2016-12-23 13:47:26.117 -0800 Error: pan_ldap_ctrl_search_single_group(pan_ldap_ctrl.c:3011): failed to get group obj for 'cn=paloaltotestgroup,cn=users,dc=opxlab,dc=pan'   2016-12-23 13:47:26.117 -0800 Error: pan_ldap_ctrl_query_single_included_group(pan_ldap_ctrl.c:3501): pan_ldap_ctrl_search_single_group() failed for 'cn=paloaltotestgroup,cn=users,dc=opxlab,dc=pan'   Check under Group mapping settings in Group Include List > Included Groups for this group.     Next, check if the group is still present on the AD server. If the group is deleted from  AD, remove the group from the firewall and commit the changes.    
View full article
mgarg ‎01-03-2017 08:18 AM
2,763 Views
0 Replies
We can configure captive portal for websites that are using the IPV6 address. The configuration is similar to that of IPV4 address. Here in the topology: We have a web server abcd.com which has an IPV6 address.  Both the Palo Alto Networks firewall (PA) and the test system have IPV6 addresses configured.   Topology:   Please use the following steps to configure captive portal for an environment that has IPV6 addresses.   Step 1. Create a certificate. This certificate will be used by the firewall to give to the end user when they are trying to access websites.         Step 2. Create the server profile, name it ‘TrustIPV6,’ and call/refer to the certificate you created in Step 1, which was 'IPV6CaptivePortal.' See below.     Step 3. Authentication profile: This authentication profile will be user used to authenticate the users.     Step 4. Captive portal setting: Configure captive portal under Device > User Identification > Captive Portal. Specify the SSL/TLS service profile, authetication profile that we have created earlier. Specify the redirect host to which the web traffic will be redirected when the user tries to access the websites.     Step 5. Zone: Enable the user identification on the zone.     Step 6. Management profile: Create a management profile with response page enabled.     Step 7. Interface: Call the management profile into the interface configuration.     Step 8. Captive Portal rule: Create a captive portal rule for interesting traffic.   Enable decryption for https website. Allow interesting traffic by security policies.   Output:      
View full article
pankaku ‎01-03-2017 01:31 AM
1,348 Views
0 Replies
This article examines reasons for SSO faliure with error 'GSS_S_Failure.' For information related to configuring Kerberos for Admin or Captive portal authentication, please click here     Details:   Error message in authd logs while Kerberos SSO authentication:      Reason 1:   - Algorithm used while generating keytab is different from algorithm used while TGS issues service ticket to the clients.       Keytab was generated using algorithm AES256-SHA1 while the service ticket issued to client by TGS uses the default algorithm RC4-HMAC   In this case, either the keytab should also be generated using default algorithm RC4-HMAC or Kerberos administrator should be contacted to configure same algorithm for issuing service tickets.     Reason 2:   Window/Linux client instance, KDC and/or the firewall has a time difference of more than ~3-4 mins. It is always better to have their time in sync for SSO to operate correctly.
View full article
hagarwal ‎12-06-2016 07:26 PM
2,779 Views
0 Replies
Symptoms Scenario Global Protect gateway is configured with IPSec option enabled, meaning that GlobalProtect clients will always try to establish IPSec VPN tunnel when connecting to GlobalProtect Gateway. Should the IPSec connection fail, VPN will fall back to SSL protocol.     Diagnosis Solution If one wants to monitor when GlobalProtect clients fail to form IPSec tunnel and have ability to historically track down such conditions, it can be done using one of the two options explained below.   When the client connects to the Gateway via SSL, firewall generates the following entry in System Log: 2016/04/19 12:41:13 info     globalp GP-Gat globalp 0  GlobalProtect gateway client switch to SSL tunnel mode succeeded. User name: client2, Private IP: 10.225.18.2. So the first option would be to monitor system logs and detect this like entry as an indication of SSL VPN being established instead of IPSec VPN.   Furthermore, if rasmgr process is set to debug level (debug rasmgr on debug) the following lines are generated in rasmgr.log file when client forms IPSec tunnel: 2016-04-19 12:43:11.127 +0200 debug: sslvpn_tunnel_install_esp(src/rasmgr_sslvpn.c:2738): Installing GW Tunnel, indicate to keymgr 2016-04-19 12:43:23.129 +0200 debug: rasmgr_sslvpn_refresh(src/rasmgr_sslvpn.c:1901): portal GP-Gateway-N, user client2   When client falls back to SSL VPN tunnel, the following lines are generated in rasmgr.log file: 2016-04-19 12:41:13.472 +0200 debug: rasmgr_sysd_update_obj(src/rasmgr_sysd_if.c:1099): change tunnel.ssl.cmd.msg 2016-04-19 12:41:24.262 +0200 debug: rasmgr_sslvpn_refresh(src/rasmgr_sslvpn.c:1901): portal GP-Gateway-N, user client2
View full article
djoksimovic ‎12-06-2016 06:05 PM
3,662 Views
0 Replies
Symptoms Consider a proxy server deployed between users on a network and firewall. In such a case, the firewall shows the proxy server's IP address as the source IP address in the traffic logs. Hence, restricting access based on actual user and determining actual user from traffic logs is not possible.   This article focuses on providing a solution to this issue. Note: This is applicable to PAN-OS 7.0 and later. Diagnosis Prerequisites:   Proxy server should add X-Forwarded-For (XFF) header containing actual IP of client when forwarding to firewall Configure User-Identification on the firewall to gather ip-user-mapping Enable XFF identification for User-ID. To learn more about this, please click here. Solution   Setup:   Proxy server (192.168.30.103)  ---- PA Firewall ----- Internet   Configure security policies on firewall as shown in order:             Details:   Allow DNS - Required to allow DNS queries before actual connection   Allow Handshake - Required to allow TCP 3-way handshake because XFF would be in HTTP GET packet, which would follow the 3-way handshake. Hence, user mapping could be determined only after the initial handshake. Following are traffic logs for the initial 3-way handshake:     Note this policy has URL filtering profile applied to allow only an initial 3-way handshake and no web-browsing. After the 3-way handshake, further action is determined by user-specific policies:     XFF - Required for restricting user-based access (application can be changed to specific web-browsing [since XFF is in HTTP] or combined with other user-based policy as required. Also, a URL filtering profile could be applied for more restrictions on traffic.   After HTTP GET packets come on the firewall from a proxy server, the firewall checks the ip-user-mapping table to find  and apply policies based on the source user.   GET Packet: User Mapping:   Policy Shift:           Additional notes:   - For HTTPS, complete SSL handshake needs to be allowed (as Allow Handshake but no URL filtering) and SSL decryption needs to be enabled to read XFF header and check user-mapping - If there is no user mapping for the IP in XFF, Source User would be blank in traffic logs and user based policies will not come into action - If you enable XFF for user-ID, URL filtering logs will show username in Source User instead of XFF IP. To see how to enable XFF in URL filtering logs, please click here - XFF can be enabled for URL filtering logs, even if there is no URL filtering license. For more details, please click here
View full article
hagarwal ‎12-05-2016 03:55 PM
3,917 Views
0 Replies
1 Like
Symptoms Symptoms can range from the following but the list is not exhaustive; - slow or unable to commit successfully due to mainly to memory depletion - useridd process repeated crash files - useridd process is always %CPU top utilization on cli command 'show system resources' - GlobalProtect Users unable to connect - reboot regains responsiveness and functionality - Group-mapping truncation observed on cli command 'debug user-id dump idmgr type user-group all' - HA sync failing - Traffic hitting incorrect rules - Repeated system logs similar to below" 2016/06/15 06:47:40 critical general general 0 User-ID manager was reset. Commit is required to reinitialize User-ID 2016/06/15 06:47:40 critical general general 0 User-ID manager was reset. Commit is required to reinitialize User-ID 2016/06/15 06:47:39 critical general general 0 User-ID manager was reset. Commit is required to reinitialize User-ID 2016/06/15 06:47:39 critical general general 0 User-ID manager was reset. Commit is required to reinitialize User-ID 2016/06/15 06:47:39 critical general general 0 User-ID manager was reset. Commit is required to reinitialize User-ID -Repeated masterd.log similar to below" 2016-06-04 03:38:54.278 +0100 INFO: useridd: User restart reason - Virtual memory limit exceeded (3979520 > 2560000) 2016-06-04 03:39:34.378 +0100 INFO: useridd: received user restart 2016-06-04 03:39:34.392 +0100 INFO: useridd: User restart reason - System swap memory usage too high (86024 free) Diagnosis Group mapping pulled by firewall from AD/LDAP Servers very high. show user group-mapping state all Group Mapping(vsys1, type: active-directory): Company AD Group Information (job 13) Bind DN : serviceaccount@company.com Base : DC=company,DC=com Group Filter: (None) <<<<<===== no gorup filter User Filter: (None) Servers : configured 1 servers 10.129.80.232(389) Last Action Time: 19577 secs ago(took 4972 secs) <<<<<===== It took 1.38hrs to pull the data from AD Next Action Time: Now (started 15977 secs ago) Number of Groups: 118412 <<<<<<====== very high <output cut for brevity> Solution Configure group include list for firewall to query specific groups only on the list. On WebUI, Device > User Identification > Group Mapping Settings > {select Group-Mapping instance} > Group Include List > {select from left specific groups used by firewall policies} Limitation on this regards will either come from two which ever hits the ceiling first: 1) In all platform whether hardware or VM, the maximum number of user-groups is 99,999 as this is the max number of user groups supported in idmgr. #system logs User-ID manager was reset. Commit is required to reinitialize User-ID #useridd.log 2016-06-15 06:49:14.512 +0100 Error: _pan_idmgr_find_avail_id(pan_idmgr.c:464): no id avail for type 22 last id 2147583647 Here 2147583647 is special, because 1024*1024*1024*2 = 2147483648 2147583647-2147483648 = 99999 99,999 is the maximum number of groups we support in idmgr. In this case this problem may or may not go with high memory. High Memory doesn't need to necessarily happen. or 2) Useridd process virtual memory limit which depends per platform. To give an example, see cli command below for a PA-5050 show virtual limit is 2097152 or ~2GB. This means that useridd process can anytime restart if exceeding this value, the system logs can be something similar to 'User restart reason - Virtual memory limit exceeded'. show system state | match snmpd.script.runtime md.apps.s0.mp.prc.snmpd.script.runtime: { 'actions': [ { 'action': timer-create, 'event': hbScript, 'interval': 300, 'name': hb-script, }, ], 'count': 1, 'display': , 'external-restart-ok': True, 'group': { }, 'hb-enable': True, 'limits': { 'enable-fd-limit': False, 'enable-virt-limit': False, 'enable-vmrss-limit': False, 'fd-limit': 1024, 'virt-limit': 2097152, 'vmrss-limit': 33554432, }, 'process': { 'core-dumped': False, 'exit-code': 0, 'pid': 3575, }, 'restart-enable': True, 'state-machine': { 'count': 1, 'event': hbScript, 'state': running, 'timer': hb-script, }, 'sysd-namespaces': [ ], 'sysd-notifiers': { }, }   Note: Maximum number of groups that can be defined in policies per vsys is 640.
View full article
pagmitian ‎12-05-2016 03:48 PM
3,083 Views
0 Replies
1 Like
Symptoms Users are prompted to refresh the page several times to get the Captive Portal login page, in all versions of Android OS, including   Lollipop  and   Marshmallow.  This behavior is seen only for the first instance, when they connect to the new wifi network, or when they forget an exisiting network, and rejoin as a new user. Diagnosis Whenever the Android device establishes a connection to the wifi network, it automatically tries to visit a particualr site and tries to get a file name "generate_204". If it fails to get this information, it will generate a exclamation symbol next to the wifi icon identifying there is no internet connectivity.   This is expected behavior and it is hard coded in the Android OS. The sites differ for different Android OS versions.   This is a code that is used to detect if there is a Captive Portal configured somewhere in the network, and it will prompt to redirect to use a browser to complete the CP authentication process.   See the link below for the codes used in Marshmallow , Lollipop and KitKat:   1. KitKat http://androidxref.com/4.4.4_r1/xref/frameworks/base/core/java/android/net/CaptivePortalTracker.java   2. Lollipop http://androidxref.com/5.1.1_r6/xref/frameworks/base/packages/CaptivePortalLogin/src/com/android/captiveportallogin/CaptivePortalLoginActivity.java   3. MarshMallow http://androidxref.com/6.0.0_r1/xref/frameworks/base/packages/CaptivePortalLogin/src/com/android/captiveportallogin/CaptivePortalLoginActivity.java   See the example screenshots below:         This results in overburdening the captive portal service on the Palo Alto Networks firewall, the Palo Alto Networks firewall will wait for the request to timeout, and then post the login page to the user. The default timeout value configured in the Android OS is 10.000 milliseconds. Solution The solution for this is to create a custom URL category and include the following sites, and exclude from captive portal authentication.    KitKat Version: clients3.google.com/ clients3.google.com/generate_204   Lollipop Version: connectivitycheck.android.com connectivitycheck.android.com/generate_204   MarshMallow Version: connectivitycheck.gstatic.com connectivitycheck.gstatic.com/generate_204            
View full article
smalayappan ‎11-09-2016 10:58 AM
7,053 Views
0 Replies
1 Like
Symptom User-ID updates sent to the User-ID Agent via XML with a timeout value are not removed from the User-ID Agent when the timeout expires but they are removed on the Palo Alto Networks firewall. Although this is not a serious issue, customers may want to look at the User-ID Agent GUI to see the connected users.   Cause The User-ID Agent does not proactively time out entries. However, it keeps track of each entry's time-stamp and timeout value. When the User-ID Agent receives an get-all or query-ip, each entry will be examined and deleted if it has timed out.   Resolution To trigger a get-all, perform one of the following steps: Close and reopen the User-Id Agent GUI. This will trigger a get-all to the agent service and the timed-out entries will be deleted. Run the following command on the Palo Alto Networks firewall to trigger a get-all: > debug user-id refresh user-id agent <name> In this case, the agent service will delete the timed-out entries and then inform all connected firewalls. The User-ID Agent GUI will show that all entries for timed-out users are removed.
View full article
sberti ‎11-03-2016 06:12 AM
6,328 Views
1 Reply
1 Like
PAN-OS 6.1 and later   Details Use the following CLI command to show User-ID user for an email address: > show user email-lookup + base               Default base distinguished name (DN) to use for searches + bind-dn            bind distinguished name + bind-password      bind password + domain             Domain name to be used for username + group-object       group object class(comma-separated) + name-attribute     name attribute + proxy-agent        agent ip or host name. + proxy-agent-port   user-id agent listening port, default is 5007 + use-ssl            use-ssl * email              email address > mail-attribute     mail attribute > server             ldap server ip or host name. > server-port        ldap server listening port   Example: > show user email-lookup base "DC=lab,DC=sg,DC=paloaltonetworks,DC=local" bind-dn "CN=Administrator,CN=Users,DC=lab,DC=sg,DC=paloaltonetworks,DC=local" bind-password paloalto use-ssl no email user1 @ lab.sg.paloaltonetworks.local mail-attribute mail server 10.1.1.1 server-port 389   labsg\user1   owner: hlim
View full article
HLim ‎08-30-2016 02:44 AM
3,257 Views
0 Replies
1 Like