mapping issue

Hi Mick,

I restart pc which has this problem and after restart everything is working.

I use AD username to make connection between PAN and AD.

So how long after you restart the pc does the problem come back for that user.. Is it after 12 hours.

For other users it happens at different time, so I can't tell you exact time.
But with me it happens almost every morning. I take my pc home at 6 PM and come at work at 9 AM.

It makes about 15 hours.

Also if some user turns off his pc for this time and turns it on in the morning the same problem occurs.

I now made this time for 20 hours. Maybe you have another solution?

Also it does the problem when I switch to WIFI network.

It blocks by ip.

It looks like you rely on AD security log for user-id and your probing configuration does not work.

So when you login via cable the firewall/UIA learns the mapping from the AD security log, but when you switch network connection I think you get a new IP. As there is no login event on the AD you have no correct user-ip-mapping and the connection is blocked.

Did you set the correct permissions for probing?

Take a look at: https://live.paloaltonetworks.com/t5/General-Topics/Permissions-of-user-ID-service-account-for-wmi-a...

You can check wether your AD account is allowed to get the logged in user via the following cli command on windows:

WMIC /NODE: xxx.xxx.xxx.xxx COMPUTERSYSTEM GET USERNAME

Make sure that you run that command in the context of your UID Agent user!

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/configure-user-mapping-using...

Hi ALex,

probing and etc is configured as in this article.
I just added now our local DATA network in include/exclude network (include - 10.0.0.0/8).

The problem usually occurs on mornings.

the article you mentioned does not cover the permission settings on windows side.

Please use the wmic command mentioned before to test if you receive the userinformation from the client. when you receive an empty response, the permissions are not correct

The network for sure must be in the include list for the firewall to create a ip-user-mapping.

Hello,

Do you use MS exchange for email? If yes, I have found those logs to be quicker to respond to IP changes, i.e. wireless to WiFi. Sometime what happens on a PC is that other accounts are running on it from external sources so the mapping in the PAN wont be correct. 

For example if you use a 3rd party tool to push out software or updates that uses a service account, then the IP to User maping in the PAN will most likly show the service account since it only uses the last account to log into a PC.

This has caused me issues in the past when performing vulnerability scans. All of a sudden it would look like my scanning account was logged into the PC, and it was, for scanning purposes.

You can check the Unified logs to make sure the IP/Username is correct for that PC or help you track down what is causing it to change.

Hope that helps.

Alex, we gave this permissions to integrated user. I issued command you said and it's working.

But when I change to wifi it doesn't work for some time. I have to restart or wait for 10-15 minutes.

Hi Otakar!

I checked in Unified logs when I changed to wifi and mapping didn't happen, but there were no logs.

And yes we user Exchange server. Should there be any config change or?

Can you post some link or anything.

Thanks in advance!

Did you test from the user-id agent or on the local computer? 

When you establish a connection and the ip is unknown this should trigger the probing. Depending on your network you may be blocking the probing on the firewall? Also wmi is quite slow, so check the logs of the UIA if there are a lot of probes pending/queued.

Regarding Exchange server, you can use this as source for user-information too on the UIA - usually you get more user login events on that system. But this would also require that your Exchange is reachable without user information.

When it goes to service-users for software deployment or scans: put those users in the exclude list!

Hello,

Yes if you want to monitor the exchange logs, you will need to perform reconfiguration of the user-id setup.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0

Instead of Microsoft ACtive directory, use Microsoft Exchange.

Regards,

I test both from local computer and the user-id agent.

Probing is set for 20 minutes(default). I'll check logs the next time this issue will occur.

Maybe there any alternative to wmi if it's so slow?

Regardless Exchange server config: we have some users, me for example, which has 2-3 mail accounts. This are different people accounts, which leave the work and we need them. Their accounts are disabled, but mail accounts are working. It'll also create an issue I think.