PAN-OS User-ID Issue and Workaround

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PAN-OS User-ID Issue and Workaround

L2 Linker

I upgraded to PAN-OS 10.0 yesterday and encountered an unusual bug when pushing out a config to my 3220.  I opened a case, but figured I would post it here as well, but don't expect screenshots.

 

Symptom:

 

After the Panorama upgrade a commit to the 3220 was giving the following error:

 

Need to config WMI account and password for querying Microsoft directory servers

 

If I switch to WinRM-HTTP(s) I got similar error but referring to missing dns name.

 

Observations:

 

After some digging and after verifying I was not crazy and Panorama had the username, password and domain name, I removed the server monitors and was able to push a config.  A quick look on the firewall I noticed that the server monitoring account as empty, and appears that panorama is not pushing the settings correctly.  Firewalls run 9.1.3 currently.

 

Workaround: 

 

To resolve the issue, I overrode the User-ID settings on the firewall and added the account info, and just have Panorama pushing the the servers to monitor.  This resolved the issue in my case, but does leave that overrode setting that still needs to be addressed.

 

Hopefully this helps somebody in case you have the same problem, or if you have another solution to fix the override I would like to hear that.

12 REPLIES 12

L2 Linker

So I finally traced this problem back to panorama and template stacking, it appears that the not set setting in the higher template is not allowing the lower template to override it.

 

In my situation, I have a template that defines some very basic stuff that all firewalls have in a base config, it is the highest template in the list so it applies to all firewalls.  The WMI info in the template below that, but for some reason Panorama was not combining those into the template properly and leaving it blank in the template stack view.

 

I was able to just reorder the templates to fix it, and that may work in some situtations.

L7 Applicator

Another way probably would be to delete the user-id configuration from the upper template completely (at least if it is no longer used). Then the configuration from the template that you wanted to use should be applied. (In cases like this, deleting this from cli could help)

L2 Linker

You would be correct, that would have been a solution as well.  But the problem is a bit mode buggy.  The top policy never had that setting yet it was overriding it.  10 other policies also had settings in User-ID as well.  Even after committing to panorama, I am seeing the settings present even though they are not.

 

But you are correct.  Somehow during the 10.0.0 upgrade Panorama decided the empty settings are valid settings in the template and using them.  From simplistic view it is as if, maybe once in the past they had a user and password, that was later removed and placed in another template.   The Palo Alto saw the empty string as a blank setting and left it in the config.

L7 Applicator

as you only changed the template order, the 'setting" should still be there, so if your still interested you could check in CLI if something is there. At least you have a solution for your environment 😉

L2 Linker

That would be a the problem, take a look at the configs below.  The first has wmi settings the second doesn't.  But when they are applied or in the GUI it says the second one has settings and they are blank when applied, until I go and click remote all settings in the gui.  I could probably remove the setting in the CLI as well, but either way it is empty.

 

user-id-collector {
setting {
wmi-account xxx\xxxxxxxxx;
wmi-password -xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=;
}
server-monitor {
dc04 {
active-directory {
host dc04;
}
}
dc03 {
active-directory {
host dc03;
}
}
dc02 {
active-directory {
host dc02
}
}
}

panorama# show template lab01 config vsys vsys1 user-id-collector
user-id-collector {
setting;
}

L2 Linker

We recently upgraded Panorama to 10.0.3 and are seeing the same issues as OP. Still haven't found our workaround but plan on trying what others have posted here as well. Will update when I have more info.

Per Palo Alto TAC this should be resolved in 10.0.5 once it's release. No clue on the release date yet of 10.0.5.
I ended up using the work around of making my template w/ the wmi authentication settings top priority. Not a great solution but until 10.0.5 that's what I will be using. Could downgrade but I'll be patient for now.

L0 Member

I am on 10.0.6, and I still have the same problem as the OP.  I also put an override directly on the firewalls with the account credentials in order to be able to push the monitored servers via template.

 

L0 Member

I am on 10.0.7, and also still have the same problem.

n/a

L0 Member

We upgraded to 10.0.8 as per TAC suggestion but still getting same error while commit from panorama, then they given below work around , yet to try.

From panorama cli , get into configure mode and try to execute below command, please note in below command change template name to one in concern and execute it .after command is successful, try to commit same and push .

delete template <template name> config vsys vsys1 user-id-collector setting


Move the template which has the user-id configuration on top of the template stack.

After performing above two steps , it should work

I know your comment is a few months old but wanted to respond anyway.  We've had this issue for months and just recently found a workaround that is working for us.  We started on 9.1.11 software on our 7080's, went to 9.1.13-h1 successfully.  From there we attempted to go to 10.0.0 and noticed that the auto commits were failing not allowing the device to complete the boot up and become functional.  All we've done is exported a device state when we're in the 9.1.13-h1 software, and then imported it after the 10.0.0 upgrade.  From there a few times we've had to enter the username and password for the WMI account, then CLI and force a commit.

L0 Member

I am still experiencing this issue on a brand new panorama install version 10.2.2-h1.

I have tried all of the workarounds as mentioned in this thread however can not get the User-ID configuration onto the firewalls. I have found the config impacted for me under the User-Identification menu is only three areas , Palo Alto Networks User-ID Agent Setup, Connection Security and Authentication Portal Settings. All other configurations under User-Identification I can apply with no issues to my firewalls from panorama.

 

Palo support are yet to find a fix. I have identical config in another panorama instance running 9.1.13 and have no issues.

 

I am unable to override via CLI on the local firewalls as when I enter the settings locally using override commands they are there and commit fine with no errors but not active. The xml export also shows config on local firewalls but it appears to do nothing.

 

Hopefully support can figure this out else we may need to use the windows user-id agent or wait for their new Cloud Identity Engine to support users.

  • 13679 Views
  • 12 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!