FW loses user mapping stop matching rule suddenly

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

FW loses user mapping stop matching rule suddenly

L4 Transporter

Hi,

 

We are having a strange issue in our FW. User in VPN-SSL reported the stop working. The issue doesnt have any pattern. Random users, random time-range. 

The issue is solved when the customer force to reconnect the VPN or force pass the HIP check in GPclient.

 

This is what we see in FW monitor logs. The FW stops identifying user and jump the rule.

 

I add the monitor traffic:

 

what log file can give me info (useriid, authd)

hipra logs.JPG

7 REPLIES 7

L4 Transporter

any log or any idea?

Cyber Elite
Cyber Elite

Hi @BigPalo 

- What OS version are you using?

- Have you checked the User-ID logs in the GUI filtering for one specific user? What is the timeout, data source? Do you see any logout events for that user?

- Do you see any process crash dump files - "> show system files"

- Try to correlate GlobalProtect logs and Traffic logs - is there any pattern in the time between last GP log for given user that the first traffic log without user-id?

Cyber Elite
Cyber Elite

@BigPalo,

In addition to the questions that @Astardzhiev has already asked, what version of the GlobalProtect agent are you using? Is everyone running the same version? 

Cyber Elite
Cyber Elite

Hi @BigPalo,

 

I shouldn't have reply to this thread....I just receive exact same complate for one of our users.

 

From my troubleshooting it seems there the problem is in the GlobalPortect agent.

- Checking ip-to-user mapping I can see that there is no record for the IP address of the affected user. Even that he is still connected to GlobalProtect

- Checking GlobalPortect logs it seems he still perform portal config refresh, because I can see his initial login and consequent portal connects every 2 hours.

- Checking User-ID logs I can see that entry was created with timestamp when user initialy connected to GlobalPortect, with timeout of 3 hours (10800sec) - at the moment I am not sure if this value depends on my config or it is specific for GP connected users.

- There is no other user-id log for that user-to-ip mapping after that.

- Looking at traffic logs I can see that exactly after 3hours after the last user-id log, firewall has lost mapping - because the mapping timeout has expired and there was no event that will refresh that timer.

 

To be honest I don't know how user-to-ip mapping entries for GP users are refreshed. Probably @BPry can correct me, but my guess is with the periodic HIP report re-submission for connected GP users.

- Checking HIP match logs and User-ID logs for non-affected user (myself) I can see that everytime threre is HIP match log there is user-id log, which is every hour.

- Checking HIP match logs and User-ID logs for affected user - I can see that his last HIP log was from his initial GP connect (exact same time user mapping is created) and here are no periodical logs for hip re-submission, like it should have every hour.

 

So it for me all boils down to - Why user is not submitting HIP report periodically if he is still connected and active in GP.

- Our GlobalProtect agent is 5.2.9

- Affected user is running MacOS 12.2 (I don't have information for other affected users yet)

- Non-affected user is running Windows

 

I will try to gather GP agent logs from affected user and I would suggest you to do the same.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!