mapping issue

Reply
Highlighted

mapping issue

facebook palo alto issue.jpg

Good Day to everyone.

I have this issue almost every day. It doesn't happen with all users at one time.

After restart, everything is working as it should work.

I have probe enabled(20 minutes) and Enable User Identification Timeout(720 minutes).

What can  be an issue?


Accepted Solutions
Highlighted
L2 Linker

you can use CP and GP in vwire - but indeed this needs some more further configuration steps - to much to handle it in his issue.

But you can find a lot of useful documents in the PaloAlto Knowledgebase, e.g. this one for CP: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJYCA0

 

Regarding GP and internal gateways there are several articles around here and you can also find the info in the admin guide.

 

Regarding UIA instances: you can install the User-ID Agent on Windows servers in your environment, please take a look at documentation. At the moment its seems you only use the agent on the firewall itself.

View solution in original post


All Replies
Highlighted
L7 Applicator

And a very good day to you kind sir...

 

are you using agents or local palo user mapping.

 

what is it that you restart to get things working again.  the firewall, user PC...  or all

 

it dose seem odd as you have the timeout set to 12 hours....

Highlighted

Hi Mick,

I restart pc which has this problem and after restart everything is working.

I use AD username to make connection between PAN and AD.

Highlighted
L7 Applicator

So how long after you restart the pc does the problem come back for that user.. Is it after 12 hours.

Highlighted

For other users it happens at different time, so I can't tell you exact time.
But with me it happens almost every morning. I take my pc home at 6 PM and come at work at 9 AM.

It makes about 15 hours.

Also if some user turns off his pc for this time and turns it on in the morning the same problem occurs.

I now made this time for 20 hours. Maybe you have another solution?

Highlighted

Also it does the problem when I switch to WIFI network.

It blocks by ip.

Highlighted
L2 Linker

It looks like you rely on AD security log for user-id and your probing configuration does not work.

So when you login via cable the firewall/UIA learns the mapping from the AD security log, but when you switch network connection I think you get a new IP. As there is no login event on the AD you have no correct user-ip-mapping and the connection is blocked.


Did you set the correct permissions for probing?

Take a look at: https://live.paloaltonetworks.com/t5/General-Topics/Permissions-of-user-ID-service-account-for-wmi-a...

 

You can check wether your AD account is allowed to get the logged in user via the following cli command on windows:

 

WMIC /NODE: xxx.xxx.xxx.xxx COMPUTERSYSTEM GET USERNAME

 

Make sure that you run that command in the context of your UID Agent user!

Highlighted

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/configure-user-mapping-using...

 

Hi ALex,

probing and etc is configured as in this article.
I just added now our local DATA network in include/exclude network (include - 10.0.0.0/8).

The problem usually occurs on mornings.

Highlighted
L2 Linker

the article you mentioned does not cover the permission settings on windows side.

 

Please use the wmic command mentioned before to test if you receive the userinformation from the client. when you receive an empty response, the permissions are not correct

 

The network for sure must be in the include list for the firewall to create a ip-user-mapping.

 

 

 

Highlighted
Cyber Elite

Hello,

Do you use MS exchange for email? If yes, I have found those logs to be quicker to respond to IP changes, i.e. wireless to WiFi. Sometime what happens on a PC is that other accounts are running on it from external sources so the mapping in the PAN wont be correct. 

 

For example if you use a 3rd party tool to push out software or updates that uses a service account, then the IP to User maping in the PAN will most likly show the service account since it only uses the last account to log into a PC.

 

This has caused me issues in the past when performing vulnerability scans. All of a sudden it would look like my scanning account was logged into the PC, and it was, for scanning purposes.

 

You can check the Unified logs to make sure the IP/Username is correct for that PC or help you track down what is causing it to change.

 

Hope that helps.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!