i use a syslog collector to receive ip-user-mappings from an Juniper Secure Access Gateway.
It works quite fine, i created a custom syslog filter on my paloalto and created the correspondig Server Monitor entry for my Juniper Systems.
a simple "show user server-monitor state all" on the commandline shows that the collector receives the corresponding logs and that the filter works:
UDP Syslog Listener Service is enabled
SSL Syslog Listener Service is disabled
Proxy: xxxxx Host: xxxxx(1xxx.xxx.xxx.xxx)
number of log messages : 83
number of auth. success messages : 16
additionaly the commands "show user ip-user-mapping all type SYSLOG" show that the current mappings:
--------------- ------- --------------------------- -------------- -------------
|xxx.xxx.xxx.xxx SYSLOG xxx||2429||2429|
|xxx.xxx.xxx.xxx SYSLOG xxx||1619||1619|
|xxx.xxx.xxx.xxx SYSLOG xxx||2404||2404|
|xxx.xxx.xxx.xxx SYSLOG xxx||2678||2678|
Total: 4 users
The probem is that my juniper does not log any keep alive messages, so when the "Idle Timeout" or the "Max Timeout" on the paloalto for the mapping is reached. The mapping will be deleted, regardless of a still existing session on my juniper.
I thought that one solution might be to increase the "User Identification Timeout" but then i saw that this is a global setting on the pa and that this setting will also increase the Timeouts for my AD User-Agent and my Terminalserver-Agents.
Why can there be different timeout values for the different User-ID Domains, i saw that you already seperated them ...
SSL/VPN SSL VPN
You could parse syslog messages on another device (ex. Linux), and next generate XML-API update request to USER-ID with choosen timeout value.
Juniper -> (Syslog) -> Linux Server -> (XML-API) -> Palo Device
It looks like you are using the onbox agent to send the syslog to. If you have the resource why don't you install the V6 UserID agent on a server and point the syslog from the Juniper to that. The timeout setting on the agent will then be unique to only your syslog users.
I do however agree that you should be able to set different timeout values for each type of user-ip mapping. But the above should be a sufficient work around
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!