I've searched and found a few posts but I can't seem to find the solution; prior to 8.1 UIA, all users shows up in UIA as domain\username. Since installation of UIA 8.1.12, it's a mix of domain\username and username@domain. It seems that in the firewalls themselves, I've only seeing domain\username so the proper rules seem like they are being applied but what setting am I missing so that in the UIA itself, I only see domain\username? I have only updated a couple of my UIA sites because I don't want to take a chance that this could be an issue and start sending username@domain mappings to my firewall.
Ah, I have seen (and answered this question before)
So..the FW is only gaining information that is otherwise collecting from the various security logs on the DCs in environment.
It is difficult to ask the question like this.. but WHY are the DC's sending conflicting information to the FW?
Seems like a rather unusual question to ask, but I do believe there is only a single service account (from the DC) that has been configured on the FW.
So the FW, uses this service account to collect the groups and DCs that it can communicate with (meaning, configured to talk to) and this comes from the FW admin under the UserID ==> Server Monitoring.... so the FW only collects what it receives.... Make sense?
So working backwards... I am presuming you have UserIDAgent (standalone software) on the DCs for Root and OLD (vs using the Integrated UserID on the FWs)
Either way, I think there is a need to go back and confirm the Group Mapping settings the FW, and perhaps prepend and filter out information.
What have you done (if anything) to all tab on this screen (including Server Profile, User and Group Attributes).. are you using the default (blank) or have you made changes here?
It just generally "feels" that your UserID agents, are continuing to pass conflicting info to the FWs, and the FW is merely updating its logs, based on information it is receiving.
Based on what response we get back, we may be able to determine next steps.
I have UIA standalone installed on servers in some sites, but not all. These standalone UIA servers use a service account to run the UIA software and read from the onsite DC. The firewalls at locations that have UIA standalone are using both Panorama and standalone UIA as their UIA in the firewall (Device\User Identification\User-ID Agents).
So far, I have not seen any issues with standalone passing different format to the firewall. For example, in site A, standalone UIA shows user A with IP 18.104.22.168 = username@domain but in the firewall itself, it shows username A with IP 22.214.171.124 with domain\username. So it doesn't seem that the UIA is passing that format to the firewall. But why am I seeing that format in the standalone UIA? I only want to see domain\username.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!