11-14-2018 04:35 AM
Good Day to everyone.
I have this issue almost every day. It doesn't happen with all users at one time.
After restart, everything is working as it should work.
I have probe enabled(20 minutes) and Enable User Identification Timeout(720 minutes).
What can be an issue?
11-19-2018 04:41 AM
you can use multiple UIA instances and devide the network ranges (include/exclude lists) so that each agent has a smaller range to probe. Besides that you have the options to use captive-portal (with ntlm auth) or much better use global-protect with internal gateways.
you could enable user-id debug logs to find more informations why a mapping was lost, timeout, probing, etc.
debug user-id...
you can check the logs via "less mp-log useridd.log"
You should find serveral articels in this kb regarding user-id debug, for example:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClR1CAK
Regarding your exchange accounts: you should give your own user access rights to the mail-boxes of the people you mentioned. No need to login with the account of the user that left - could also be a legal issue if you "impersonate" that user.
11-19-2018 10:12 PM
Thank you for your help, Alex. Much appreciated.
As I understand, captive-portal and global protect is used in layer 3 combination. But we use right now virtual wire and the change of design to layer 3 is our next year plan.
You mean, multiple UIA instances on one AD? Multiple Users with same privileges or what?
I'll use debug when this problem will happen again, but it doesn't happens often. So I'm waiting.
Their accounts are locked, only mail is working and it's attached to my mail.
11-20-2018 03:00 AM
you can use CP and GP in vwire - but indeed this needs some more further configuration steps - to much to handle it in his issue.
But you can find a lot of useful documents in the PaloAlto Knowledgebase, e.g. this one for CP: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJYCA0
Regarding GP and internal gateways there are several articles around here and you can also find the info in the admin guide.
Regarding UIA instances: you can install the User-ID Agent on Windows servers in your environment, please take a look at documentation. At the moment its seems you only use the agent on the firewall itself.
11-21-2018 01:26 AM
Thank you for your replies and links!
I'll download and install agent on windows AD and test it.
Yes, right now I have only agent only on firewall.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
