Monitoring - source user not shown in log

Reply
Highlighted
Not applicable

Monitoring - source user not shown in log

Although the "agentID client" is installed on one of our domain controller boxes, I find that when using MONITOR log to look at the traffic, it doesn't show the "source user" of whom is currently logged in via Active Directory. Any idea why?

In addition, the monitor log will show the ip address and it will "resolve hostname" when checking the box.

Any help would be appreciated.

Rob

Highlighted
L5 Sessionator

Hi Robert,

Has this ever worked before, or is this a new installation?

Also, what version of the user-id agent and PAN OS Software are you running?

A few things you can do is check to see if the firewall has any correct mappings by running:

> show user ip-user-mapping all

If they are showing as unknown, then you need to open the agent installed on your DC and look to see if it's getting the correct mappings.

Thanks,

Jason Seals

Not applicable

Jason,

I ran the command you mentioned and it shows some the following result. I've omitted users domain/user name for privacy concerns.

The vpn 192.168.7.x are vpn globalprotect clients and they do show in the listing. So it seems it only is showing vpn clients at the moment. Does the user-id client agent need to be installed directly on the domain controller as we have it installed on our manage server which is a member server which runs on VMware.

We are running PAN OS Software 4.1.2

The user-id client is running version 4.1.2-2

PA-500> show user ip-user-mapping all


IP              Ident. By User                             Idle Timeout (s) Max. Timeout (s)
--------------- --------- -------------------------------- ---------------- ----------------
192.168.7.xxx  GP        (ommitted domain/user)       2468098          2468098
192.168.x.xx   Unknown   unknown                          1                4
192.168.x.x   Unknown   unknown                          1                4
192.168.x.x  Unknown   unknown                          2                5
192.168.7.xxx   GP        (ommitted domain/user)             2155146          2155146
192.168.x.x   Unknown   unknown                          2                5
192.168.x.x    Unknown   unknown                          0                3
192.168.x.xx    Unknown   unknown                          2                5
192.168.x.xxx   Unknown   unknown                          2                5
Total: 9 users

Highlighted
L4 Transporter

Do you have User ID enabled on the zone from where your internal users are coming in?

Also, do the users authenticate against a DC that is not being monitored by the User ID agent?

It would appear that your users on the GP zone are showing up correctly as that zone has user ID enabled.

If you go to Network>>Zones>> check to see if the users are coming in on a zone that has UserID enabled (box is checked)

Highlighted
L5 Sessionator

Hi Robert,

The agent does not need to be installed directly on the DC. Just a machine that can read the DC's security logs. However, installing it directly on the DC can rule out some communication issues.

As Saba said, it could be your zone not having userID checked. Since the firewall doesn't show the mappings, take a look at the agent and see if it's getting any mappings and is just having issues sending them to the firewall.

Thanks,

Jason Seals

Highlighted
L4 Transporter

We are seeing a similar issue on 3.1.2 client connecting to PANOS 4.0.11 (yes we do have an open case)

We've tried reinstalling the agent with out success

We've tried uninstalling the agent, doing a clean up and installing again.

No luck as yet, but we will update when we find a resolution.

Highlighted
Not applicable

I have the same problem with PAN OS 4.1.6 and UI agent 4.1.6-5.

Help me..

Highlighted
Not applicable

same problem here with OS 4.1.9 and agent 4.1.4-3...intermittently empty source user field in traffic logs for the same source IP

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!