iSSUE Enabled UsedID agentless in Palo Alto

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

iSSUE Enabled UsedID agentless in Palo Alto

L2 Linker

Hi Team,

 

We configured and using UsedID on our policy. 1 issue i've encountered is sometime PA can't resolve the UserID assigned for specific address. This happens only selective user and other user are fine.


Question are:

1. What would be the issue when PA can't resolve or just show unknown userid on logs?


2. How to trouble and verify whether it's on workstation, FW or AD Server isssue?


3. How to resolve this issue?


Thanks

8 REPLIES 8

L6 Presenter

 

 

Hi. 

 

This might help:

 

https://live.paloaltonetworks.com/t5/Management-Articles/Troubleshooting-User-ID-Group-and-User-to-I...

 

Please check the document attached to the article

 

L4 Transporter

Hey!

 

1. Run this command on the CMD of that machine - echo %logonserver%

2. Check if you have that DC added in the Server monitoring section.

3. If it's not there, add it. Issue resolved.

4. If it's there, check if there is an event log generated for that user's login.

5. Check useridd.log - less mp-log useridd.log

 

HTH,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7

L2 Linker

Thank you all for your comments.

But I would like to ask the process/query from workstation to FW and to AD?
This stages correct?
1. Workstation will generate userid to FW.
2. FW will check the policy based on UserID.
3. Then FW will query the AD then via LDAP to verify user acct.
4. if the reply from AD is confirmed, FW now will process the user request.

Thank you

Hi,

 

UserID-agent.PNG

 

1. Workstation will generate userid to FW - Workstation will generate even/log entry on AD.
2. FW will check the policy based on UserID - Yes, as well as other matching criteria.
3. Then FW will query the AD then via LDAP to verify user acct - Only for Group Mapping (agent will read LDAP tree), users logs are delivered by user-id agent (User Groups <-------> User ID <-------> IP address)
4. if the reply from AD is confirmed, FW now will process the user request - No, no direct connection/query for a particular user with AD.  All based on even/security logs where user id agent has an account on AD server with the minimum permittion to read these logs. 

Hi @TranceforLife,

 

Thank you for sharing. In addition we are using agentless rightnow

 

Just want to clarify 

3. Only for Group Mapping (agent will read LDAP tree), users logs are delivered by user-id agent (User Groups <-------> User ID <-------> IP address). 

 

- So this is only for w/ agent setup? How about agentlless setup? So Once the FW and AD has been setup via LDAP no more query will happen? 

 

4.  No, no direct connection/query for a particular user with AD.  All based on even/security logs where user id agent has an account on AD server with the minimum permittion to read these logs. 

 

- So you mean Agentless or with agent doest query the AD anymore? All based on security logs (Generated on workstation?) 

 

sorry 3 & 4 part is not clear to me. apologize 

3) LDAP, in our case , is needed for Group Mapping query, user id info still delivered by the agents (FW or SW agent).

 

4) User id agents (both FW and/or SW agent) talking to AD and then deliver security logs/events to FW.

 

This is how l understood. Other advanced users can also comment and correct me if i am wrong.

Thank you bro, Nice diagram, may i know where did you get that. bec. looking for docs regarding user ID process agentless/w/agent? cant find any good docs. always configuration.

Say thanks to@acc6d0b3610eec313831f7900fdbd235,

 

He did a very good job in providing some nice free resources. Get registered at a learning centre and look for :

 

Firewall Installation, Configuration, and Management: Essentials 1 (101) PAN-OS 7.0 Rev. B

or 

Firewall 8.0 Essentials: Configuration and Management (EDU-110)

 

https://live.paloaltonetworks.com/t5/General-Topics/Palo-Alto-Networks-Training-Resources-Available/...

 

p.s Snip was from one of the video training lessons

  • 3508 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!