No user identification after upgrading to 3.1

Hi James

it's defo the AD agent, and it can see groups and user to IP mappings.  there's logs on the 4020 in the system logs saying failed to connect to PAN Agent, then the IP address.  then there is the same log for each agent on all our DCs

ALso there's an SSL Connect error (IP Adress): 1

Hi,

Here's how me and the Tech fixed this issue.

*First you must have the AD agent then when setting up the UIA on the PAN ensure you choose PAN-Agent this is why your getting the SSL errors.

*The reason your not getting the IP information is because of your Auditing on the DC's in your organization. I had to go in group policy and go to the policy for domain controllers enable Success/Failure in the local policies Auditing container.

     *If you are using Server 2008 here's the events the UIA looks for 4624, 4768, 4769, 4770, 4776 once this is working the UIA looks at the DC security logs in event viewer for logon success/failures this will happen immediately but I did a gpupdate /force on my DC's.

     *Go to your UIA and select Get IP All you should see your IP's that you configured in the ALLOW IP. That's all I did and I'm in business.

thanks for your help.  i will answer your suggestions:

i already had pan agent selected

we used to have the old version of pan agents so surely the auditing is already setup.  i can click get all and that shows me all the user to IP mappings on the PAN agent.

most are server 2003 DC's with 1 server 2008, but they all worked fine before 3.1

IPs allowed are all private ranges on the PAN agent.  there is also a checkpoint FW between the management interface on the PAN and some of the DCs with the agent installed, but I have checked and that traffic is all accepted and passed.  I can see in the logs on the PAN Agent that it's seeing the connection from the PAN.

Message was edited by: aveva.palo

Hi Aveva.palo,

I see you have a support case open now - which is probably a good route to go here.  I'll keep track of progress there - if you need any further help, please let me know.

Thanks

James

Hi there,

Use user-id with 3.1 you must upgrade your agents to version 3.1.  They are incompatible with all prior versions. See the version 3.1 release notes on page 6.  There is a note marked "important" that explains this.

Edit - I noticed you already did this after posting.  Whoops 🙂

the issue was 2 fold.

some of the DCs I upgraded to 3.1 PAN Agent I also rebooted because of windows updates.  others I didn't. the other ones had no pan agent service running.  that isn't the main issue, but I'm posting it here for future reference.

in the end the palo 4020 had cached some SSL info that is established when connecting to the PAN Agents.  as I upgraded the agents they didn't recognise the SSL info from the PAN and refused the connection.  Palo tech support ran some commands to diagnose this, then ran one command to restart a service on the PAN box that looks after the PAN agent connections.  this also flushed the cashe, but the user traffic was not affected.

How is the traffic recognized in your traffic log, as ssl or as paloalto-userid-agent?

There is an application named "paloalto-userid-agent" (or similar) which in case you use a non default port you might need to setup an "application override" for so the PAN will know its userid-agent traffic. However when you setup a policy for this traffic (if reach through one of the interfaces on the dataplane) I think you need to setup both ssl and paloalto-userid-agent as allowed applications.