PAN-OS User-ID Issue and Workaround

bschaper · ‎07-22-2020

I upgraded to PAN-OS 10.0 yesterday and encountered an unusual bug when pushing out a config to my 3220. I opened a case, but figured I would post it here as well, but don't expect screenshots.

Symptom:

After the Panorama upgrade a commit to the 3220 was giving the following error:

Need to config WMI account and password for querying Microsoft directory servers

If I switch to WinRM-HTTP(s) I got similar error but referring to missing dns name.

Observations:

After some digging and after verifying I was not crazy and Panorama had the username, password and domain name, I removed the server monitors and was able to push a config. A quick look on the firewall I noticed that the server monitoring account as empty, and appears that panorama is not pushing the settings correctly. Firewalls run 9.1.3 currently.

Workaround:

To resolve the issue, I overrode the User-ID settings on the firewall and added the account info, and just have Panorama pushing the the servers to monitor. This resolved the issue in my case, but does leave that overrode setting that still needs to be addressed.

Hopefully this helps somebody in case you have the same problem, or if you have another solution to fix the override I would like to hear that.

bschaper · ‎08-10-2020

That would be a the problem, take a look at the configs below. The first has wmi settings the second doesn't. But when they are applied or in the GUI it says the second one has settings and they are blank when applied, until I go and click remote all settings in the gui. I could probably remove the setting in the CLI as well, but either way it is empty.

user-id-collector {
setting {
wmi-account xxx\xxxxxxxxx;
wmi-password -xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=;
}
server-monitor {
dc04 {
active-directory {
host dc04;
}
}
dc03 {
active-directory {
host dc03;
}
}
dc02 {
active-directory {
host dc02
}
}
}

panorama# show template lab01 config vsys vsys1 user-id-collector
user-id-collector {
setting;
}

popeja · ‎01-28-2021

We recently upgraded Panorama to 10.0.3 and are seeing the same issues as OP. Still haven't found our workaround but plan on trying what others have posted here as well. Will update when I have more info.

popeja · ‎01-28-2021

Per Palo Alto TAC this should be resolved in 10.0.5 once it's release. No clue on the release date yet of 10.0.5.
I ended up using the work around of making my template w/ the wmi authentication settings top priority. Not a great solution but until 10.0.5 that's what I will be using. Could downgrade but I'll be patient for now.

Adam.Bravo · ‎07-07-2021

I am on 10.0.6, and I still have the same problem as the OP. I also put an override directly on the firewalls with the account credentials in order to be able to push the monitored servers via template.

EikeChristian · ‎10-05-2021

I am on 10.0.7, and also still have the same problem.

n/a

PAN-OS User-ID Issue and Workaround

PAN-OS User-ID Issue and Workaround

Show your appreciation!