No user identification after upgrading to 3.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

No user identification after upgrading to 3.1

Not applicable

i've upgraded our 4020, and all the user ID agents to 3.1, but I'm getting no user info on the palo.

how can I troubleshoot this?

9 REPLIES 9

L4 Transporter

Hi Gents,

Please check if the users get into the PAN Agent 1st of all.  I assume you downloaded the PAN Agent for AD and not for LDAP, as they are two different things.

So I guess the first place to troubleshoot is where the User-ID is "broken".  Is it between the Agent and the DC's or between the Agent and the PA Appliance?

You can check on the Agent if it is able to read the LDAP tree and also able to get all user information and groups.  If not, then please turn the logging up to verbose and capture the logs.

This may turn into a support case, but let me know how you get on with this?

Thanks

James

Hi James

it's defo the AD agent, and it can see groups and user to IP mappings.  there's logs on the 4020 in the system logs saying failed to connect to PAN Agent, then the IP address.  then there is the same log for each agent on all our DCs

ALso there's an SSL Connect error (IP Adress): 1

Hi,

Here's how me and the Tech fixed this issue.

*First you must have the AD agent then when setting up the UIA on the PAN ensure you choose PAN-Agent this is why your getting the SSL errors.

*The reason your not getting the IP information is because of your Auditing on the DC's in your organization. I had to go in group policy and go to the policy for domain controllers enable Success/Failure in the local policies Auditing container.

     *If you are using Server 2008 here's the events the UIA looks for 4624, 4768, 4769, 4770, 4776 once this is working the UIA looks at the DC security logs in event viewer for logon success/failures this will happen immediately but I did a gpupdate /force on my DC's.

     *Go to your UIA and select Get IP All you should see your IP's that you configured in the ALLOW IP. That's all I did and I'm in business.

thanks for your help.  i will answer your suggestions:

i already had pan agent selected

we used to have the old version of pan agents so surely the auditing is already setup.  i can click get all and that shows me all the user to IP mappings on the PAN agent.

most are server 2003 DC's with 1 server 2008, but they all worked fine before 3.1

IPs allowed are all private ranges on the PAN agent.  there is also a checkpoint FW between the management interface on the PAN and some of the DCs with the agent installed, but I have checked and that traffic is all accepted and passed.  I can see in the logs on the PAN Agent that it's seeing the connection from the PAN.

Message was edited by: aveva.palo

Hi Aveva.palo,

I see you have a support case open now - which is probably a good route to go here.  I'll keep track of progress there - if you need any further help, please let me know.

Thanks

James

Hi there,

Use user-id with 3.1 you must upgrade your agents to version 3.1.  They are incompatible with all prior versions. See the version 3.1 release notes on page 6.  There is a note marked "important" that explains this.

Edit - I noticed you already did this after posting.  Whoops 🙂

the issue was 2 fold.

some of the DCs I upgraded to 3.1 PAN Agent I also rebooted because of windows updates.  others I didn't. the other ones had no pan agent service running.  that isn't the main issue, but I'm posting it here for future reference.

in the end the palo 4020 had cached some SSL info that is established when connecting to the PAN Agents.  as I upgraded the agents they didn't recognise the SSL info from the PAN and refused the connection.  Palo tech support ran some commands to diagnose this, then ran one command to restart a service on the PAN box that looks after the PAN agent connections.  this also flushed the cashe, but the user traffic was not affected.

How is the traffic recognized in your traffic log, as ssl or as paloalto-userid-agent?

There is an application named "paloalto-userid-agent" (or similar) which in case you use a non default port you might need to setup an "application override" for so the PAN will know its userid-agent traffic. However when you setup a policy for this traffic (if reach through one of the interfaces on the dataplane) I think you need to setup both ssl and paloalto-userid-agent as allowed applications.

  • 4927 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!