Security Rules dont match propertly

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Security Rules dont match propertly

L4 Transporter

Hi,

I just migrated from 5.0.3 to 5.0.6 and the user-id is giving problems......... Some rules is not matching correctly.......

I have the rule on top ,deny Twitter application and in the end  i have a rule allowing this traffic.....but the twitter traffic is ju..why the traffic jump this rule?

admin@FW1(active)> test security-policy-match source 10.34.16.38 destination 199.16.156.21 protocol 80

"Wifi Invitados 5" {

        from wifi_invitad;

        source any;

        source-region none;

        to Untrust;

        destination any;

        destination-region none;

        user any;

        category any;

        application/service [ ms-scheduler/any/any/any ms-dtc/any/any/any ms-iis

/any/any/any socks/any/any/any nfs/any/any/any ms-ds-smb/any/any/any telnet/any/

any/any vidsoft/any/any/any syslog/any/any/any lpd/any/any/any ipp/any/any/any m

s-rdp/any/any/any vnc-http/any/any/any vnc-base/any/any/any pcanywhere-base/any/

any/any eve-online/any/any/any http-proxy/any/any/any maplestory/any/any/any sip

/any/any/any h.323/any/any/any kazaa/any/any/any skydur/any/any/any gnutella/any

/any/any unreal/any/any/any bomberclone/any/any/any little-fighter/any/any/any s

oulseek/any/any/any direct-connect/any/any/any ares/any/any/any warez-p2p/any/an

y/any emule/any/any/any steam/any/any/any imesh/any/any/any bittorrent/any/any/a

ny ms-groove/any/any/any unknown-p2p/any/any/any peerenabler/any/any/any cooltal

k/any/any/any alisoft/any/any/any netmeeting/any/any/any 100bao/any/any/any citr

ix/any/any/any showmypc/any/any/any fasttrack/any/any/any gkrellm/any/any/any go

boogy/any/any/any chatroulette/any/any/any kugoo/any/any/any mu        applicati

on/service(implicit) [ rpc/any/any/any ssl/any/any/any netbios-ss/any/any/any ms

rpc/any/any/any t.120/any/any/any jabber/any/any/any web-browsing/any/any/any rt

mp/any/any/any net.tcp/any/any/any ];

        action deny;

        terminal no;

}

-------------------------------------------------------------------------------------

In the end i have this rule and its matching..

TRUST to UNTRUST   permit   any/any

------------------------------------------------------------------------------------

the test say that this rule should be apply but its apply the generic permit rule.....why?

8 REPLIES 8

L4 Transporter

i have this config in the

admin@FW1(active)> show user user-id-agent statistics

Name             Host            Port  Vsys    State             Ver Usage

---------------------------------------------------------------------------

DCTIC            10.10.248.79    4444  vsys1   conn:idle         5

DC    10.74.248.54    4444  vsys1   conn:idle         5

DC2   10.30.48.15     4444  vsys1   conn:Get IPs      5

DC2q             10.33.248.143   4444  vsys1   conn:idle         5

Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, '*' Currently Used

I dont have any * in the server?? maybe its not connected?

For any ips the rules correct its matching for another ips no

Why UserID is detecting some users and another NO Smiley Sad

admin@FW1(active)> show user ip-user-mapping ip 10.34.20.31

IP address:  10.34.20.31 (vsys1)

User:        unknown

From:        Unknown

Idle Timeout: 2s

Max. TTL:    5s

Groups that the user belongs to (used in policy)

admin@FW1(active)> show user ip-user-mapping ip 10.34.20.32

IP address:  10.34.20.32 (vsys1)

User:        acan\vgri

From:        UIA

Idle Timeout: 2506s

Max. TTL:    2506s

Groups that the user belongs to (used in policy)

Group(s):    acan\domain users

Hi,

Do you have WMI probing enabled? Also are these windows user or mac users? Also do you see the mapping for these users on the agent or not?

Thanks,


Syed R Hasnain

Following doc on page 8 explains how to troubleshoot for "unknown or no users in the traffic logs.

https://live.paloaltonetworks.com/docs/DOC-5662

Hope this helps your resolve the issue.


Thank you

Numan

L4 Transporter

Everything was working in 5.0.3.........but anything changed in 5.0.6.

where can i check if WMI is enabled????

L4 Transporter

Hello,

If you can share a screenshot of the security rules here we will be happy to give more details.

> Security rules try to match each parameter to match the rule and hit. If any one is missing or not matching it goes down to more generic rules.

> My suggestion would be to see if all the parameters are matching in security rule. Many times it may happen that the user id is not identified for the user and hence rule is not matched and goes to the bottom rule.

Here are some commands to share details:

" show user ip-user-mapping ip <ipaddress>"

Provides details of the username to IP mapping. Groups binded to this user name.

"show user user-IDs match-user <username>"

This command would try to pull the details about the username.

If there is no proper mapping for username/ip address and the security rules has the username defined then the security is rule is not matched.

Now to just test, if you remove the usernames in security rule and pass traffic and if it hits the right rule then we have the answer that the user id was not matching.

Hope the info helps. !

Hi,

Below is the snap shot where you would see if the WMI probing is enabled or not on the user id agent.

wmi.PNG.png

Thanks,

Syed R Hasnain

L4 Transporter

we had a user who did not appear in the userid (WCHE) adn i did show  user ip-user-mapping ip 10.34.4.34 and the user did appear or it was a unknown, the user suddenly appeared and we have not done anything. We still have other users who are still missing in the UserID and they are log in the domain. Ive attached several screenshot about the user.


I dont whink Client probing needs to be enabled. USerID worked perfect in 5.0.3 version, we migrated to 5.0.6 and the problems started.....User.jpg

  • 4406 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!