08-15-2024 06:05 AM
Anyone see this behavior? we are using syslog parser string for userid, no logout action, timeout set to 45 minutes ( default). You can see here that a flow within the same second shows a userid and then blank with same source address. FW running 10.2.7 h-8 . Any ideas?
09-18-2024 08:31 AM
What this actually was (cut out of screenshot), was that the loss of user-id was between different device-groups within a network. As a user was moving through the network encountering several different firewalls, not all firewalls had been set up for user-id. The search that was being used was against the whole group of firewalls using the user ip address.
08-21-2024 02:12 AM
Hi @NSutfin ,
Note that traffic logs are generated at the end of the session. Although the logs are generated few seconds apart, the actuall session for each log may have started minutes apart.
Try the following:
- Check the session start timestamp for two logs one with user-id and one without
- Check the user-ID logs to see the timestamp when the user-to-ip mapping was created
- Verify the mapping timeout has not expired for the two session start timestamps
09-18-2024 08:31 AM
What this actually was (cut out of screenshot), was that the loss of user-id was between different device-groups within a network. As a user was moving through the network encountering several different firewalls, not all firewalls had been set up for user-id. The search that was being used was against the whole group of firewalls using the user ip address.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
