IP to user mapping unreliable

Reply
Highlighted
L2 Linker

Re: IP to user mapping unreliable

You are correct. That is why I would use the User ID API with a Log Out script to force the removal of the IP mapping. (https://live.paloaltonetworks.com/docs/DOC-1348). In this way we can create our own log out event....

Highlighted
L3 Networker

Re: IP to user mapping unreliable

A nice thought James, but when using 802.1x you don't even have an IP-address when you authenticate. In most 802.1x implementations I have seen or been involved in "x" is used to place authed users on a specific VLANs for that user/group. Admittance based on client security posture is another reason for using it.

Highlighted
L4 Transporter

Re: IP to user mapping unreliable

You are correct, but an IP Address is requested and given - depending on your implementation (granted) all this information will be in the RADIUS server.  Otherwise, you may have some correlation work to do with a DHCP server.

Thanks

James

Highlighted
L4 Transporter

Re: IP to user mapping unreliable

Has this been done before ? I don't know the API, so I have no idea how difficult/easy this would be to implement.

Highlighted
L1 Bithead

Re: IP to user mapping unreliable

Hi,

We had a similar issue and the below fixed this for us.

Have you tried disabling the cache on the Palo Agent? it is in the configure part of the agent and it is called "Enable Group Cache" untick that and delete the user_ip_map.txt file in the Pan Agent folder, then restart the service. I have attached a screen shot of the setting also.

Highlighted
L4 Transporter

Re: IP to user mapping unreliable

Haven't tried that, but there's still the issue with the long timeout on the PA device...

Highlighted
Not applicable

Re: IP to user mapping unreliable

Hi All,

Just to share our feedback about user-id feature, there are mainly two items to deal with :

- When you are using fixed PCs using your AD domain : it's quite simple, because IPs won't often change, but you have to deal with multi-users computers.

- When you are using laptop, even if AD agent is efficient, you won't be able to have a real time userID-IP association ( when IP have changed ).

Within my company, we deal with these two issues by using the XML/API agent. We deploy a piece of code which communicates with the API agent. Now life is great . We have 80 000 PCs in which 45000 are laptop, we are able to recognize who is behind each IP within 10 to 15s.:smileycool:

The Palo Alto UserID feature is really great, but you have some work to do to take full advantage of it. I think release 4 will bring some more integrated features, but at the moment the system is quite open.

It has changed the way we provide security.

PS : this information is intended to stay in this private forum within Palo Alto, no public communication, thanks.

Highlighted
L3 Networker

Re: IP to user mapping unreliable

Having exactly the same issues. In this case it is a single AD box with multiple AD users. Cannot disable the user ID cache since they have multiple remote sites – the probing etc will overwhelm the WAN links.


The API/XML script seems like a great solution but not a commercially and economically feasible solution. Pushes up costs of deploying Palo since custom dev work must be done to get it going…


Would anybody mind sharing their API/XML solution to fix this issue in the meanwhile? Hopefully Palo will implement a function whereby the PAN agent can read the security logs for logoff events directly. (not too sure why it does not in the first place?)

Highlighted
L2 Linker

Re: IP to user mapping unreliable

Hi Quinton,

Windows logoff events are less common then you may think. Most laptop users will just sleep or hibernate when they are leaving, neither of which creates the desired event.

With the current version of the user agent the only areas we still have some issues are in high turn over wireless networks where IP's are quickly recycled and reassigned. This is where the API comes in handy. Take a look at for an example of how to set it up. Modification of the scripts are not terribly complex and we are happy to help you out with it on the .

I am happy to get into more details on any of your concerns here, just let me know what they are.

Nick

Highlighted
L3 Networker

Re: IP to user mapping unreliable

Hi Nick

Thanks for the offer. Just an update, the issue is resolved. Turns out that WMI/NetBIOS probing is potent enough to build a more or less complete IP to user mapping table. So my initial thoughts were that all is working as expected and the issue must be something else. The problem was that the customer did not add any "include" networks in the PAN agent, only exclude networks. Upon closer inspection in the PAN agent logs I found the agent logging that IP x is not in the include list. Adding all the subnets to the PAN agent fixed all the issues experienced at this site with PAN agent – even the issue with multiple users logging onto a single PC was fixed. The IP to user mapping on the PAN firewall is updated almost instantaneously.

Thanks for the help

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!