iSSUE Enabled UsedID agentless in Palo Alto

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

iSSUE Enabled UsedID agentless in Palo Alto

Hi Team,

 

We configured and using UsedID on our policy. 1 issue i've encountered is sometime PA can't resolve the UserID assigned for specific address. This happens only selective user and other user are fine.


Question are:

1. What would be the issue when PA can't resolve or just show unknown userid on logs?


2. How to trouble and verify whether it's on workstation, FW or AD Server isssue?


3. How to resolve this issue?


Thanks

Highlighted
L6 Presenter

 

 

Hi. 

 

This might help:

 

https://live.paloaltonetworks.com/t5/Management-Articles/Troubleshooting-User-ID-Group-and-User-to-I...

 

Please check the document attached to the article

 

Highlighted
L4 Transporter

Hey!

 

1. Run this command on the CMD of that machine - echo %logonserver%

2. Check if you have that DC added in the Server monitoring section.

3. If it's not there, add it. Issue resolved.

4. If it's there, check if there is an event log generated for that user's login.

5. Check useridd.log - less mp-log useridd.log

 

HTH,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7
Highlighted
L2 Linker

Thank you all for your comments.

But I would like to ask the process/query from workstation to FW and to AD?
This stages correct?
1. Workstation will generate userid to FW.
2. FW will check the policy based on UserID.
3. Then FW will query the AD then via LDAP to verify user acct.
4. if the reply from AD is confirmed, FW now will process the user request.

Thank you

Highlighted
L6 Presenter

Hi,

 

UserID-agent.PNG

 

1. Workstation will generate userid to FW - Workstation will generate even/log entry on AD.
2. FW will check the policy based on UserID - Yes, as well as other matching criteria.
3. Then FW will query the AD then via LDAP to verify user acct - Only for Group Mapping (agent will read LDAP tree), users logs are delivered by user-id agent (User Groups <-------> User ID <-------> IP address)
4. if the reply from AD is confirmed, FW now will process the user request - No, no direct connection/query for a particular user with AD.  All based on even/security logs where user id agent has an account on AD server with the minimum permittion to read these logs. 

Highlighted
L2 Linker

Hi @TranceforLife,

 

Thank you for sharing. In addition we are using agentless rightnow

 

Just want to clarify 

3. Only for Group Mapping (agent will read LDAP tree), users logs are delivered by user-id agent (User Groups <-------> User ID <-------> IP address). 

 

- So this is only for w/ agent setup? How about agentlless setup? So Once the FW and AD has been setup via LDAP no more query will happen? 

 

4.  No, no direct connection/query for a particular user with AD.  All based on even/security logs where user id agent has an account on AD server with the minimum permittion to read these logs. 

 

- So you mean Agentless or with agent doest query the AD anymore? All based on security logs (Generated on workstation?) 

 

sorry 3 & 4 part is not clear to me. apologize 

Highlighted
L6 Presenter

3) LDAP, in our case , is needed for Group Mapping query, user id info still delivered by the agents (FW or SW agent).

 

4) User id agents (both FW and/or SW agent) talking to AD and then deliver security logs/events to FW.

 

This is how l understood. Other advanced users can also comment and correct me if i am wrong.

Highlighted
L2 Linker

Thank you bro, Nice diagram, may i know where did you get that. bec. looking for docs regarding user ID process agentless/w/agent? cant find any good docs. always configuration.

Highlighted
L6 Presenter

Say thanks to@Willian,

 

He did a very good job in providing some nice free resources. Get registered at a learning centre and look for :

 

Firewall Installation, Configuration, and Management: Essentials 1 (101) PAN-OS 7.0 Rev. B

or 

Firewall 8.0 Essentials: Configuration and Management (EDU-110)

 

https://live.paloaltonetworks.com/t5/General-Topics/Palo-Alto-Networks-Training-Resources-Available/...

 

p.s Snip was from one of the video training lessons

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!