Agentless USER-ID - rules

burtond · ‎01-14-2016

Good Day

I'm testing user-id in policy-rules and its not working the way I thought it would.

Example Rule

src zone/ip - Zone A/any

dst zone/ip - Zone B/any

user - gdc\test.user

application - any

service - application-default

action - allow

I start a ping to a server/workstation from Zone A to Zone B and I get request timeout, but if I remove the user the ping works.

This is not how I thought it would work, I thought if I'm pinging from a workstation logged in as test.user that in the rule if I added the user it would ping throw, but it isn't.

Can you tell me why this is happening?

Dana

burtond · ‎01-18-2016

Thanks Reaper, worked like a charm....very cool

View solution in original post

Brandon_Wertz · ‎01-14-2016

have you validated that the firewall has a mapping of the IP to User?

Do you see a deny log showing the ICMP request with the source user the traffic is being generated from?

burtond · ‎01-14-2016

Yes it connects to the AD brings back the userid mappings, and yes it is dropping the ICMP ping, but as I mentioned if I delete the user the ping works.

OtakarKlier · ‎01-14-2016

Hello,

When you are lookigng at the logs, Click the maginifying glass on the far left and see if its picking up the username.

Regards,

Brandon_Wertz · ‎01-14-2016

When you say "it brings back the user id mappings." Does it actually provide the IP to User ID mapping for the source user in question?

In the deny log, does the denied ICMP request show the source user ID that you're expecting?

You should see something like this:

ME@FIREWALLNAME(active)> show user ip-user-mapping(mp) ip (USER IP 1.1.11)

IP address: (USER IP 1.1.1.1) (vsys1)
User: (USER ID)
From: UIA
Idle Timeout: 3371s
Max. TTL: 3371s
Groups that the user belongs to (used in policy)

burtond · ‎01-15-2016

Yes I get the correct user mapping. The rule is jump and go to the deny all rule a the bottom of the rules set... which is wierd, but if I set the User tab to "known-user" it works..... but not if I choose select and put in the group.

Brandon_Wertz · ‎01-15-2016

@burtond some screen shots might be helpful for us...Rule/Logs

Also if you're using a "group" in the rule do you have that group in the "Group Mapping?" In the user identifcation in the "Group Include List?"

burtond · ‎01-15-2016

Yes, I've even removed the User Identification setting commited and configured it again and still the same issue

burtond · ‎01-15-2016

Networking

Groups

User Mappings

User

All the groups

Group Domain Users

Rule that works

Ping to Zone B

Ping Allowed

Rule that doesn't work

Ping to Zone B 2

Ping dropped

reaper · ‎01-17-2016

Hi

In your group mapping, the users are mapped as 'zonea.ca\user' while in the user mapping, the user is 'zonea\user'

This means the mapping information from the group is set to the FQDN while the uidagent collects the netbios domain

this causes a mismatch when your security policy is set to a group

you can resolve this issue by setting the group mapping user domain to the netbios version:

once this is committed, refresh your group mapping

> debug user-id reset group-mapping all
> debug user-id refresh group-mapping all

afterward your users should start showing up in the group listing as zonea\user1 zonea\user2 etc

hope this helps

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

burtond · ‎01-18-2016

I'm running PAN-VM version 6.17 so the Group Mapping - Server Profile tab looks like this

burtond · ‎01-18-2016

I found it, it is under the Server Profile - LDAP, thanks

burtond · ‎01-18-2016

Thanks Reaper, worked like a charm....very cool

Unlock your full community experience!

Agentless USER-ID - rules

Agentless USER-ID - rules

Show your appreciation!