Good Day to everyone.
I have this issue almost every day. It doesn't happen with all users at one time.
After restart, everything is working as it should work.
I have probe enabled(20 minutes) and Enable User Identification Timeout(720 minutes).
What can be an issue?
Solved! Go to Solution.
you can use CP and GP in vwire - but indeed this needs some more further configuration steps - to much to handle it in his issue.
But you can find a lot of useful documents in the PaloAlto Knowledgebase, e.g. this one for CP: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJYCA0
Regarding GP and internal gateways there are several articles around here and you can also find the info in the admin guide.
Regarding UIA instances: you can install the User-ID Agent on Windows servers in your environment, please take a look at documentation. At the moment its seems you only use the agent on the firewall itself.
And a very good day to you kind sir...
are you using agents or local palo user mapping.
what is it that you restart to get things working again. the firewall, user PC... or all
it dose seem odd as you have the timeout set to 12 hours....
For other users it happens at different time, so I can't tell you exact time.
But with me it happens almost every morning. I take my pc home at 6 PM and come at work at 9 AM.
It makes about 15 hours.
Also if some user turns off his pc for this time and turns it on in the morning the same problem occurs.
I now made this time for 20 hours. Maybe you have another solution?
It looks like you rely on AD security log for user-id and your probing configuration does not work.
So when you login via cable the firewall/UIA learns the mapping from the AD security log, but when you switch network connection I think you get a new IP. As there is no login event on the AD you have no correct user-ip-mapping and the connection is blocked.
Did you set the correct permissions for probing?
You can check wether your AD account is allowed to get the logged in user via the following cli command on windows:
WMIC /NODE: xxx.xxx.xxx.xxx COMPUTERSYSTEM GET USERNAME
Make sure that you run that command in the context of your UID Agent user!
probing and etc is configured as in this article.
I just added now our local DATA network in include/exclude network (include - 10.0.0.0/8).
The problem usually occurs on mornings.
the article you mentioned does not cover the permission settings on windows side.
Please use the wmic command mentioned before to test if you receive the userinformation from the client. when you receive an empty response, the permissions are not correct
The network for sure must be in the include list for the firewall to create a ip-user-mapping.
Do you use MS exchange for email? If yes, I have found those logs to be quicker to respond to IP changes, i.e. wireless to WiFi. Sometime what happens on a PC is that other accounts are running on it from external sources so the mapping in the PAN wont be correct.
For example if you use a 3rd party tool to push out software or updates that uses a service account, then the IP to User maping in the PAN will most likly show the service account since it only uses the last account to log into a PC.
This has caused me issues in the past when performing vulnerability scans. All of a sudden it would look like my scanning account was logged into the PC, and it was, for scanning purposes.
You can check the Unified logs to make sure the IP/Username is correct for that PC or help you track down what is causing it to change.
Hope that helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!