PANOS 5.0.8 User-ID problem.

Reply
Highlighted
Not applicable

PANOS 5.0.8 User-ID problem.

Did anyone have a problem with user identification (IP from AD thru User-ID application), I have above with 5.0.8, on 5.0.7 is OK. Users from local subnet are correct discovered, but from other then PA subnets arent.

Regards

Adam

Highlighted
L4 Transporter

Hello Adam,

Since you mentioned this was working on PANOS 5.0.7, was the device upgraded or is that on a different firewall? Can you clarify if you're using the agent or the agentless?

Do you have any include or exclude lists configured? Under the zone configuration or the user-id config.

Pick a user machine whose mapping is not learnt and verify the logon server. Run "set l" at the windows cmd prompt to see which logon server the user logged onto. Confirm the user-id service is connected to the logon server/DC. If everything is setup correctly, we'd have to look at the logs.

If using agentless, you can enable debugs for user-id service and tail the useridd.log. Or you can enable debug level logging on the user-id agent and check the Uadebug logs in the agent's directory.

You can also refer:

https://live.paloaltonetworks.com/docs/DOC-5662

Regards,

Aditi

Highlighted
Not applicable

Hello, thanks for replay,

I use user-id agent, the service running on w2k8 r2 DC with domain admin privilege (they point to two domain controller, first local where service are running and second in the same subnet), everything goes good to moment when I update PANOS to 5.0.8 from 5.0.7, (when the problem act I was back to 5.0.7). In User-ID users connecting from all subnets are good discovered with they IP/username, but on Monitor->Traffic device don't recognize user name from AD with IP source from other than PA subnets. I have "include list" configured for all subnets, agent are properly connect with servers and device.

Regards,

Adam

L4 Transporter

If all the ip-mappings are discovered on the agent and not the firewall -

1. Are these users from a different subnet coming from a different source zone? all the source zones will need to have User-Id enabled so users can be identified on the firewall.

2. If coming from the same zone as the identified subnet, I'd re-check if the zone has any User-id ACL (include/exclude list) configured.

zone-user-id.PNG

Highlighted
Not applicable

Yes... you have right!

I has not checked include/exclude list on firewall, only on agent, and on firewall was only one include subnets (from with users/IP are correct discovered). But this signifies that mechanism acts presently different/bad (In PANOS 5.0.7) :smileyhappy:

After rush hour i will update fw and check it.

Thanks and regards.

Adam

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!