12-05-2016 10:03 AM
I have a lab setup with two palo alto firewalls (PA-200). I am running it with the code it came with the device (PAN OS 5.0.6).
I configured User-ID as per the guidelines on this link (https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Agentless-User-ID/ta-p/...). However, i was unable to get it work. So i followed this article and added groups by linking my PA devices to my LAB ADDS server.
i am able to see all the users when i do show user user-IDs. However, i am unable to view user to IP mappings.
Any suggestions or link to known issues (with error code and link) is much appreciated.
Regards,
Naresh Babu Deendayalan
12-05-2016 10:56 AM
The first thing that comes to mind is that you missed setting up User Identification on the zone configuration. Without that configured one would experiance exactly what you are describing.
12-05-2016 04:19 PM - edited 12-05-2016 04:28 PM
Thank you for your response. I did configure zone to accept User-ID service and i also configured Interface management profile to allow User-ID services.
I followed all the steps carefully and made sure everything is in place. However, could not get it to work for some unknown reason.
Just to add on to my description. I am running virtual clients hosted on college desktops that is part of college domain, could that be a problem. I do not have physical hardware that i can join to my lab domain and test it.
Any suggestion or reference to an article that has solution to this issue is much appreciated.
Regards,
Naresh Babu Deenadayalan
12-06-2016 04:16 AM
id you make sure to enable audit logs for succesful logins on the active directory? by default those are disabled so there are no logs for the UserID to read
check out this article: Getting Started: User-ID
12-06-2016 05:44 AM
Using VMs to join your lab domain isn't going to be an issue as long as those VMs have successfully join your lab domain. The machine that the VM is running on does not need to be a member of any particular domain to get the VMs to function properly for this test.
Look at what @reaper pointed out, as that would also cause the same issue to be present when you are trying to map users to IPs.
12-06-2016 05:46 AM - edited 12-06-2016 05:47 AM
Just to throw this out there as well but 5.0.6 is ancient code. If you are just trying to get a feel for PA and how they operate this would function 'okay' but I would seriously consider finding a way to either work in an enviroment with newer code or paying for the lab licensing so that you can actually upgrade these devices and use all of their features.
12-06-2016 11:09 AM - edited 12-06-2016 11:11 AM
Thank you reaper, I didnt check that to be honest, let me check and get back to you with the findings.
Regards,
Naresh Babu Deenadayalan
12-06-2016 11:20 AM
@BPry, thank you for responding. Even i dont like to use 5.0.6 personally, however i have no choice. My college just bought the license and i can not upgrade the codes at this time because my project is due in a week. i cant afford any time to troubleshoot incase of malfunction. i will definetly try @reaper suggestion and update you guys with my findings. Hopefully, it works.
Regards,
Naresh Babu Deenadayalan
12-07-2016 09:16 AM
Hi Naresh,
v5 is also out of support now I believe.
https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary
Ben
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
