mapping issue

Reply
Highlighted

 

Screenshot_2.jpg

Alex, we gave this permissions to integrated user. I issued command you said and it's working.

But when I change to wifi it doesn't work for some time. I have to restart or wait for 10-15 minutes.

 

 

 

Highlighted

Hi Otakar!

I checked in Unified logs when I changed to wifi and mapping didn't happen, but there were no logs.

And yes we user Exchange server. Should there be any config change or?

Can you post some link or anything.

Thanks in advance!

Highlighted
L2 Linker

Did you test from the user-id agent or on the local computer? 

 

When you establish a connection and the ip is unknown this should trigger the probing. Depending on your network you may be blocking the probing on the firewall? Also wmi is quite slow, so check the logs of the UIA if there are a lot of probes pending/queued.

 

Regarding Exchange server, you can use this as source for user-information too on the UIA - usually you get more user login events on that system. But this would also require that your Exchange is reachable without user information.

 

When it goes to service-users for software deployment or scans: put those users in the exclude list!

 

 

 

Highlighted
Cyber Elite

Hello,

Yes if you want to monitor the exchange logs, you will need to perform reconfiguration of the user-id setup.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0

 

Instead of Microsoft ACtive directory, use Microsoft Exchange.

 

Regards,

Highlighted

I test both from local computer and the user-id agent.


Probing is set for 20 minutes(default). I'll check logs the next time this issue will occur.

Maybe there any alternative to wmi if it's so slow?

 

Regardless Exchange server config: we have some users, me for example, which has 2-3 mail accounts. This are different people accounts, which leave the work and we need them. Their accounts are disabled, but mail accounts are working. It'll also create an issue I think.

Highlighted
L2 Linker

you can use multiple UIA instances and devide the network ranges (include/exclude lists) so that each agent has a smaller range to probe.  Besides that you have the options to use captive-portal (with ntlm auth) or much better use global-protect with internal gateways.

 

you could enable user-id debug logs to find more informations why a mapping was lost, timeout, probing, etc. 

 

debug user-id...

 

you can check the logs via "less mp-log useridd.log" 

 

You should find serveral articels in this kb regarding user-id debug, for example:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClR1CAK

 

Regarding your exchange accounts: you should give your own user access rights to the mail-boxes of the people you mentioned. No need to login with the account of the user that left - could also be a legal issue if you "impersonate" that user.

Highlighted

Thank you for your help, Alex. Much appreciated.

 

As I understand, captive-portal and global protect is used in layer 3 combination. But we use right now virtual wire and the change of design to layer 3 is our next year plan.

 

You mean, multiple UIA instances on one AD? Multiple Users with same privileges or what?

 

I'll use debug when this problem will happen again, but it doesn't happens often. So I'm waiting.

 

Their accounts are locked, only mail is working and it's attached to my mail.

Highlighted
L2 Linker

you can use CP and GP in vwire - but indeed this needs some more further configuration steps - to much to handle it in his issue.

But you can find a lot of useful documents in the PaloAlto Knowledgebase, e.g. this one for CP: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJYCA0

 

Regarding GP and internal gateways there are several articles around here and you can also find the info in the admin guide.

 

Regarding UIA instances: you can install the User-ID Agent on Windows servers in your environment, please take a look at documentation. At the moment its seems you only use the agent on the firewall itself.

View solution in original post

Highlighted

Thank you for your replies and links!

I'll download and install agent on windows AD and test it.

Yes, right now I have only agent only on firewall.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!