Any known issues with PAN OS 5.0 for user-ID and IP mapping not working?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Any known issues with PAN OS 5.0 for user-ID and IP mapping not working?

I have a lab setup with two palo alto firewalls (PA-200). I am running it with the code it came with the device (PAN OS 5.0.6).

I configured User-ID as per the guidelines on this link (https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Agentless-User-ID/ta-p/...). However, i was unable to get it work. So i followed this article and added groups by linking my PA devices to my LAB ADDS server.

 

https://live.paloaltonetworks.com/t5/Management-Articles/Troubleshooting-User-ID-Group-and-User-to-I...

 

 

i am able to see all the users when i do  show user user-IDs. However, i am unable to view user to IP mappings.

 

Any suggestions or link to known issues (with error code and link) is much appreciated.

 

Regards,

Naresh Babu Deendayalan

 

8 REPLIES 8

Cyber Elite
Cyber Elite

The first thing that comes to mind is that you missed setting up User Identification on the zone configuration. Without that configured one would experiance exactly what you are describing. 

Thank you for your response. I did configure zone to accept User-ID service and i also configured Interface management profile to allow User-ID services.

I followed all the steps carefully and made sure everything is in place. However, could not get it to work for some unknown reason.

 

Just to add on to my description. I am running virtual clients hosted on college desktops that is part of college domain, could that be a problem. I do not have physical hardware that i can join to my lab domain and test it. 

 

Any suggestion or reference to an article that has solution to this issue is much appreciated.

 

Regards,

Naresh Babu Deenadayalan

id you make sure to enable audit logs for succesful logins on the active directory? by default those are disabled so there are no logs for the UserID to read

 

check out this article: Getting Started: User-ID

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Using VMs to join your lab domain isn't going to be an issue as long as those VMs have successfully join your lab domain. The machine that the VM is running on does not need to be a member of any particular domain to get the VMs to function properly for this test. 

Look at what @reaper pointed out, as that would also cause the same issue to be present when you are trying to map users to IPs. 

Cyber Elite
Cyber Elite

Just to throw this out there as well but 5.0.6 is ancient code. If you are just trying to get a feel for PA and how they operate this would function 'okay' but I would seriously consider finding a way to either work in an enviroment with newer code or paying for the lab licensing so that you can actually upgrade these devices and use all of their features. 

Thank you reaper, I didnt check that to be honest, let me check and get back to you with the findings.

 

Regards,

Naresh Babu Deenadayalan

@BPry, thank you for responding. Even i dont like to use 5.0.6 personally, however i have no choice. My college just bought the license and i can not upgrade the codes at this time because my project is due in a week. i cant afford any time to troubleshoot incase of malfunction. i will definetly try @reaper suggestion and update you guys with my findings. Hopefully, it works.

 

Regards,

Naresh Babu Deenadayalan

  • 2987 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!