We configured and using UsedID on our policy. 1 issue i've encountered is sometime PA can't resolve the UserID assigned for specific address. This happens only selective user and other user are fine.
1. What would be the issue when PA can't resolve or just show unknown userid on logs?
2. How to trouble and verify whether it's on workstation, FW or AD Server isssue?
3. How to resolve this issue?
This might help:
Please check the document attached to the article
1. Run this command on the CMD of that machine - echo %logonserver%
2. Check if you have that DC added in the Server monitoring section.
3. If it's not there, add it. Issue resolved.
4. If it's there, check if there is an event log generated for that user's login.
5. Check useridd.log - less mp-log useridd.log
Thank you all for your comments.
But I would like to ask the process/query from workstation to FW and to AD?
This stages correct?
1. Workstation will generate userid to FW.
2. FW will check the policy based on UserID.
3. Then FW will query the AD then via LDAP to verify user acct.
4. if the reply from AD is confirmed, FW now will process the user request.
1. Workstation will generate userid to FW - Workstation will generate even/log entry on AD.
2. FW will check the policy based on UserID - Yes, as well as other matching criteria.
3. Then FW will query the AD then via LDAP to verify user acct - Only for Group Mapping (agent will read LDAP tree), users logs are delivered by user-id agent (User Groups <-------> User ID <-------> IP address)
4. if the reply from AD is confirmed, FW now will process the user request - No, no direct connection/query for a particular user with AD. All based on even/security logs where user id agent has an account on AD server with the minimum permittion to read these logs.
Thank you for sharing. In addition we are using agentless rightnow
Just want to clarify
3. Only for Group Mapping (agent will read LDAP tree), users logs are delivered by user-id agent (User Groups <-------> User ID <-------> IP address).
- So this is only for w/ agent setup? How about agentlless setup? So Once the FW and AD has been setup via LDAP no more query will happen?
4. No, no direct connection/query for a particular user with AD. All based on even/security logs where user id agent has an account on AD server with the minimum permittion to read these logs.
- So you mean Agentless or with agent doest query the AD anymore? All based on security logs (Generated on workstation?)
sorry 3 & 4 part is not clear to me. apologize
3) LDAP, in our case , is needed for Group Mapping query, user id info still delivered by the agents (FW or SW agent).
4) User id agents (both FW and/or SW agent) talking to AD and then deliver security logs/events to FW.
This is how l understood. Other advanced users can also comment and correct me if i am wrong.
Say thanks to@Willian,
He did a very good job in providing some nice free resources. Get registered at a learning centre and look for :
Firewall Installation, Configuration, and Management: Essentials 1 (101) PAN-OS 7.0 Rev. B
Firewall 8.0 Essentials: Configuration and Management (EDU-110)
p.s Snip was from one of the video training lessons
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!