04-02-2012 09:39 AM
Although the "agentID client" is installed on one of our domain controller boxes, I find that when using MONITOR log to look at the traffic, it doesn't show the "source user" of whom is currently logged in via Active Directory. Any idea why?
In addition, the monitor log will show the ip address and it will "resolve hostname" when checking the box.
Any help would be appreciated.
04-02-2012 11:03 AM
Has this ever worked before, or is this a new installation?
Also, what version of the user-id agent and PAN OS Software are you running?
A few things you can do is check to see if the firewall has any correct mappings by running:
> show user ip-user-mapping all
If they are showing as unknown, then you need to open the agent installed on your DC and look to see if it's getting the correct mappings.
04-02-2012 12:32 PM
I ran the command you mentioned and it shows some the following result. I've omitted users domain/user name for privacy concerns.
The vpn 192.168.7.x are vpn globalprotect clients and they do show in the listing. So it seems it only is showing vpn clients at the moment. Does the user-id client agent need to be installed directly on the domain controller as we have it installed on our manage server which is a member server which runs on VMware.
We are running PAN OS Software 4.1.2
The user-id client is running version 4.1.2-2
PA-500> show user ip-user-mapping all
IP Ident. By User Idle Timeout (s) Max. Timeout (s)
--------------- --------- -------------------------------- ---------------- ----------------
192.168.7.xxx GP (ommitted domain/user) 2468098 2468098
192.168.x.xx Unknown unknown 1 4
192.168.x.x Unknown unknown 1 4
192.168.x.x Unknown unknown 2 5
192.168.7.xxx GP (ommitted domain/user) 2155146 2155146
192.168.x.x Unknown unknown 2 5
192.168.x.x Unknown unknown 0 3
192.168.x.xx Unknown unknown 2 5
192.168.x.xxx Unknown unknown 2 5
Total: 9 users
04-05-2012 11:21 AM
Do you have User ID enabled on the zone from where your internal users are coming in?
Also, do the users authenticate against a DC that is not being monitored by the User ID agent?
It would appear that your users on the GP zone are showing up correctly as that zone has user ID enabled.
If you go to Network>>Zones>> check to see if the users are coming in on a zone that has UserID enabled (box is checked)
04-05-2012 11:47 PM
The agent does not need to be installed directly on the DC. Just a machine that can read the DC's security logs. However, installing it directly on the DC can rule out some communication issues.
As Saba said, it could be your zone not having userID checked. Since the firewall doesn't show the mappings, take a look at the agent and see if it's getting any mappings and is just having issues sending them to the firewall.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!