USER-ID Settings: Why is the "User Identification Timeout" a global setting

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

USER-ID Settings: Why is the "User Identification Timeout" a global setting

L0 Member

Hi,

i use a syslog collector to receive ip-user-mappings from an Juniper Secure Access Gateway.

It works quite fine, i created a custom syslog filter on my paloalto and created the correspondig Server Monitor entry for my Juniper Systems.

a simple "show user server-monitor state all" on the commandline shows that the collector receives the corresponding logs and that the filter works:

        UDP Syslog Listener Service is enabled
        SSL Syslog Listener Service is disabled

Proxy: xxxxx    Host: xxxxx(1xxx.xxx.xxx.xxx)
        number of log messages                            : 83
        number of auth. success messages                  : 16

additionaly the commands "show user ip-user-mapping all type SYSLOG" show that the current mappings:

IP                        From       User                   IdleTimeout(s) MaxTimeout(s)

---------------               -------         --------------------------- --------------       -------------

xxx.xxx.xxx.xxx      SYSLOG  xxx                    2429             2429
xxx.xxx.xxx.xxx      SYSLOG  xxx                    1619             1619
xxx.xxx.xxx.xxx      SYSLOG  xxx                    2404             2404
xxx.xxx.xxx.xxx      SYSLOG  xxx                    2678             2678

Total: 4 users

The probem is that my juniper does not log any keep alive messages, so when the "Idle Timeout" or the "Max Timeout" on the paloalto for the mapping is reached. The mapping will be deleted, regardless of a still existing session on my juniper.

I thought that one solution might be to increase the "User Identification Timeout" but then i saw that this is a global setting on the pa and that this setting will also increase the Timeouts for my AD User-Agent and my Terminalserver-Agents.

Why can there be different timeout values for the different User-ID Domains, i saw that you already seperated them ...

  AD   Active Directory
  CP   Captive Portal
  EDIR eDirectory
  GP   Global Protect
  NTLM NTLM

  SSL/VPN   SSL VPN

  SYSLOGSyslog
  UIA  User-ID Agent

  UNKNOWN   Unknown

  XMLAPIXML API

Kind regards

Christoph

2 REPLIES 2

L0 Member

Hi,

You could parse syslog messages on another device (ex. Linux), and next generate XML-API update request to USER-ID with choosen timeout value.

Juniper -> (Syslog) -> Linux Server -> (XML-API) -> Palo Device

Setting the Timeout for User to IP mapping Created Using User-ID XML-API

http://www.rsyslog.com/doc/v8-stable/configuration/actions.html?highlight=execute#shell-execute

T.

L2 Linker

It looks like you are using the onbox agent to send the syslog to.  If you have the resource why don't you install the V6 UserID agent on a server and point the syslog from the Juniper to that.  The timeout setting on the agent will then be unique to only your syslog users.

I do however agree that you should be able to set different timeout values for each type of user-ip mapping.  But the above should be a sufficient work around

  • 3240 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!