This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Palo stops identifying users in traffic logs

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo stops identifying users in traffic logs

Go to solution
soporteseguridad
L4 Transporter

‎10-11-2017 05:57 AM

Hi, 

 

we realized that Palo Alto suddenly stops identifying users. We can see an example in this traffic logs.

 

In this screenshot, we see how the user is being identified but there are connectiosn where its not appearing.

 

sometime running show user ip-user-mapping all, we can not see the user associated to the correct ip.

 

Screenshot1.JPG

 

What could it cause this problem? tshoot advice?? 

 

thanks a lot

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to Mick_Ball

‎10-12-2017 12:35 PM

@soporteseguridad,

I wouldn't set age_out to 1440, nobody is working for 24 hours. Set the age_out time to match a users average day; so if you work from 7-5 on average then make the timeout 600 or 630 to give a little wiggle room. 

View solution in original post

0 Likes Likes
7 REPLIES 7

Go to solution
reaper
Cyber Elite
Cyber Elite

‎10-11-2017 06:50 AM

how is your timeout configured on UserID?

 

your mappings may be timing out causing the gaps in the log, could you share your configuration?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator

‎10-11-2017 07:56 AM

FYI.

for similar reasons we have set ours to the following.

 

User Identification Timeout (min)  1440

 

so... 24 hours and seems to be OK.

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to Mick_Ball

‎10-12-2017 12:35 PM

@soporteseguridad,

I wouldn't set age_out to 1440, nobody is working for 24 hours. Set the age_out time to match a users average day; so if you work from 7-5 on average then make the timeout 600 or 630 to give a little wiggle room. 

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎10-13-2017 12:41 PM

Hello,

Which user-id option are you using to detect the users? Agent, agentless, or wmi? I have a current case open for the User-id agents stop pulling in user data after a while and also currently the Angentless is not ablet o connect to some of my servers, another case. While its not affecting me much at the moment, it is a pain point. I'll update the case if I find out anything.

 

PANOS 8.0.3 (we are upgrading to 8.0.5 to see if it helps since there seem to be a lot of fixes for the User-id agent.

Agent versions: 8.0.4-5

 

Regards,

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to OtakarKlier

‎10-14-2017 02:10 AM

@OtakarKlier

I'm using agents, collecting from 12 DC's. Never had an issue until updated to V8. 

Agents failed to connect on occasions and when they were collecting we had a strange issue where the current policies were not allowing traffic thriugh for specific groups or users. It was a live system so had to roll back to V7 immediately. Never got chance to diagnose so please update with your findings.

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to Mick_Ball

‎10-16-2017 10:01 AM

Hello @Mick_Ball,

I have also seen this with my smaller deployment. We went ahead and also implemented the Agentless User-ip as as top gap since TAC was not able to find a resolution. I also made sure that I had autodiscover enabled so that it would pick up on Exchange activity. So far it is working, but some of my PAN's lose connectivity to some of my DC's, seems random but I do have a TAC case open.

 

Sorry I dont have a solution at the moment. Also 8.0.5 has the same issues :(.

 

I'll update when I have more information.

0 Likes Likes

Go to solution
soporteseguridad
L4 Transporter
In response to OtakarKlier

‎10-19-2017 12:20 AM

I increased the userid timeout in cache (700minutes),  now it working fine.

0 Likes Likes
  • 1 accepted solution
  • 3531 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks