security policy source user strange behavior

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

security policy source user strange behavior

L1 Bithead

Hello

I am using ldap users as source user in security policy.

The policy defines who can access http-service and https-service to the internet.

After the Firewall there are about 500 PCs and about 10% PCs stop to browse the internet every 20-30min, pressing F5 in the browser seems to solve.

The only thing that I understood is that the problem is always in those PC.

Removing the source user limitation this problem disappear.

Any idea on howto debug this ?

 

thanks very much

10 REPLIES 10

L7 Applicator

try to increase user identification timeout (min) from default 45 to 8 hours (480)

 

for debug overide interzone default policy and log session start.

look for traffic with no source user.

L2 Linker

Do you see an intermittent blank 'source user' value on traffic logs (Monitor > Traffic) once it fails? 

You may verify this by filtering in traffic logs the following: ( user.src neq 'source-user' ) and ( addr.src in x.x.x.x ).

 

If that is the case, most likely the User-to-IP mapping is being lost due to Timeout. Ref doc:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZzCAK

 

You can either increase the User Identification Timeout or remove the check from the Enable User Identification Timeout.

 

More information about User Identification Timeout: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNVyCAO 

Thank you both for the answers.

at the moment i disabled the user identification in the policies, to keep people work.

I noticed that pc/user with problem are always the same.

And the interruption (i see the empty user in url filtering) is less of the 45min set in the timeout setting.

next week I will set up a little lab where to try to reproduce the problem.

should I look at the user id agent server to find something ?

Giacomo

this will be easy to diagnose without a lab.

Just clone your HTTP/HTTPS policy that has no user identification and call it user-test.

add this directly above and allow with source user ID.

 

This will not block users as they will drop down to the next policy that will allow if no user id is found.

 

monitor the traffic for http(s) and when a user is using user-test then you know user id is working for them.

 

If you see a user on the other policy then search for that user on the server agent under "monitoring".

if the search is blank then the ip address associated with that user may have timed out.

 

please note that the user timeout has nothing to do with timestamps on traffic monitor, it is the time since the ip address was last observed in the security logs by the agent. so a user could be fine at 10:44 and at 10:46 no traffic.  this is because they registered their ip address at 10:00 and it has now timed out.

 

if it applies to a particular set of users then this could be because their domain activity is not as frequent as others.

 

on the server agent you can increase timeout here under setup.

 

MickBall_0-1607762013818.jpeg

 

 

 

I increased the timeout to 600, but when I launch:

show user ip-user-mapping all type UNKNOWN

I always see about 10-15 PCs in the unknown list.

The new user mapping timeout will only start on the next new mapping,  are you monitoring AD security logs.

If so then get user to log out and back in to update security log on AD. 

this will be easy to diagnose without a lab.

Just clone your HTTP/HTTPS policy that has no user identification and call it user-test.

add this directly above and allow with source user ID.

 

I can see a lot fo empty "source user" in "Monitor/Url Filtering" also without that rule.

 

I tried to add a third User-id Agent.

 

What's the need of User Identification > User Mapping > server monitoring tab ?

If I press discover my DC's are listed, but with the access denied error.

 

thanks very much for yours help.

 

have you setup a server monitor account in the agent setup?

yes it is configured.

I meant, is server monitor only need for wmi probing ?

  • 5416 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!