I upgraded the PANOS from 8.0 to 8.1 last week, current version is 8.1.0. Now I am observing some issues.
1. Traffic logs are not showing source user.
PA is connected with active directory via WMI, connection status is fine. Source User in security policy showing users from Active directory but traffic logs are not showing any user which was previously showing in each log.
2. User having issue in file sharing.
Users from remote sites having issue in accessing the Shared Server file sharing, traffic logs showing "resources-unavailable" although enough resources are available at the server.
3. User logoff issue
Domain computers stuck on logoff (traffic from users to active directory is traversing from PA). Traffic logs not showing any blockage / error.
Please share your experience or resolution to the above problems.
What specific version of 8.1 are you at? There are many versions (10 I think)
1) With the upgrade, you now need to confirm that your FW is pulling the correct UserID info from the DC.
You should confirm that User ID is enabled (again) under the Zone (trusted or whatever you call it)
2) The resource unavailable is not coming from your server, but from the FW.
This will require some additional troubleshooting to determine what resource is unavailable.
I think that "show system resources | follow" and watching the display resource counters (as you hold the spacebar key) should help to show what resources are being consumed.
3) I do not understand the Logoff issue.
The computer itself is responsible for shutting down the computer. I am not understanding where the FW could prevent an endpoint from turning off.
That is like saying the mouse button on my computer stopping working because the wireless network shows disconnected. 😛
Thanks for your response, let me elaborate in more detail.
FW current version is PANOS 8.1.0
1. I have already verified on trust zones "User ID Identification" is enabled. In troubleshooting i took new security policy and in Source User field I searched multiple AD users and it gave mr correct results, even a newly created user was also listed. It means FW is fetching users data from Active Directory properly but information is not included in traffic logs.
2. "resource-unavailable" is only showing on Users to Shared Server and AD transactions.
log filter: ( session_end_reason eq resources-unavailable )
as you can see the only those transactions having APPID ms-ds-smbv1, ms-ds-smbv2 & ms-ds-smbv3 are ended with "resource-unavailable"
3. When a domain computer logged off it communicate with AD for graceful session end and AD writes are logoff log in events. it can be see in above logs "resource-unavailable" are also showing on AD transactions logs, that is why I am troubleshooting the issue from FW end.
I have 7 remote sites and almost all users are facing same issue then how it could be relate to local PC. In my opinion this OS version is internally blocking above APPIDs and it could be a bug.
Thanks for the info.
Your screen capture, if it showed BLOCK as the action, or if the reason for the session ending was "Threat", then I would tend to agree with you about the FW.
Can you show a screen capture again with the Bytes Column (like you have now) and also include Bytes Sent and Bytes Received.
This will help to show us if the traffic is making it (or being blocked, as you suggested)
If you believe this is a bug, then please open a ticket and escalate, as we are all here to help provide ideas, but not technical support.
Be sure to take a Tech Support file, create your ticket online, and upload the tech support file.
Before logging a ticket as a potential bug issue, I recommend that you upgrade to 8.1.10 as the recommended current 8.1.x version, link below to the PAN-OS Software Release Guidance. After that upgrade, verify that you are seeing the same issues, and if you are open the ticket at that time.
There is a behavior change for user id from 8.0 to 8.1. Not sure if this might help you. Take a look at the below link.
Thank you so much for your valuable suggestions and inputs. As I was getting too much pressure from the users that file sharing is not working. I search for a workaround and found below article referring to Application override.
The workaround work for me amazingly, users are now able to access file shares but log off issue is still exist. I think above workaround cannot be consider as a permanent solution. Hence I am planning to upgrade the OS to 8.1.10 as suggested above. I will share the outcome with you guys after up-gradation.
...I think above workaround cannot be consider as a permanent solution. Hence I am planning to upgrade the OS to 8.1.10 as suggested above. I will share the outcome with you guys after up-gradation.
For the future as a general rule when doing upgrades it's best to go to the "preferred" release. When you upgraded from 8.0.X into 8.1.0 you unfortunately upgraded into a code version that already has lots of documented bugs which have been mitigated in the subsequent releases (8.1.1 - 8.1.10)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!