Security Rules dont match propertly

soporteseguridad · ‎09-30-2013

Hi,

I just migrated from 5.0.3 to 5.0.6 and the user-id is giving problems......... Some rules is not matching correctly.......

I have the rule on top ,deny Twitter application and in the end i have a rule allowing this traffic.....but the twitter traffic is ju..why the traffic jump this rule?

admin@FW1(active)> test security-policy-match source 10.34.16.38 destination 199.16.156.21 protocol 80

"Wifi Invitados 5" {

from wifi_invitad;

source any;

source-region none;

to Untrust;

destination any;

destination-region none;

user any;

category any;

application/service [ ms-scheduler/any/any/any ms-dtc/any/any/any ms-iis

/any/any/any socks/any/any/any nfs/any/any/any ms-ds-smb/any/any/any telnet/any/

any/any vidsoft/any/any/any syslog/any/any/any lpd/any/any/any ipp/any/any/any m

s-rdp/any/any/any vnc-http/any/any/any vnc-base/any/any/any pcanywhere-base/any/

any/any eve-online/any/any/any http-proxy/any/any/any maplestory/any/any/any sip

/any/any/any h.323/any/any/any kazaa/any/any/any skydur/any/any/any gnutella/any

/any/any unreal/any/any/any bomberclone/any/any/any little-fighter/any/any/any s

oulseek/any/any/any direct-connect/any/any/any ares/any/any/any warez-p2p/any/an

y/any emule/any/any/any steam/any/any/any imesh/any/any/any bittorrent/any/any/a

ny ms-groove/any/any/any unknown-p2p/any/any/any peerenabler/any/any/any cooltal

k/any/any/any alisoft/any/any/any netmeeting/any/any/any 100bao/any/any/any citr

ix/any/any/any showmypc/any/any/any fasttrack/any/any/any gkrellm/any/any/any go

boogy/any/any/any chatroulette/any/any/any kugoo/any/any/any mu applicati

on/service(implicit) [ rpc/any/any/any ssl/any/any/any netbios-ss/any/any/any ms

rpc/any/any/any t.120/any/any/any jabber/any/any/any web-browsing/any/any/any rt

mp/any/any/any net.tcp/any/any/any ];

action deny;

terminal no;

}

-------------------------------------------------------------------------------------

In the end i have this rule and its matching..

TRUST to UNTRUST permit any/any

------------------------------------------------------------------------------------

the test say that this rule should be apply but its apply the generic permit rule.....why?

soporteseguridad · ‎09-30-2013

i have this config in the

admin@FW1(active)> show user user-id-agent statistics

Name Host Port Vsys State Ver Usage

---------------------------------------------------------------------------

DCTIC 10.10.248.79 4444 vsys1 conn:idle 5

DC 10.74.248.54 4444 vsys1 conn:idle 5

DC2 10.30.48.15 4444 vsys1 conn:Get IPs 5

DC2q 10.33.248.143 4444 vsys1 conn:idle 5

Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, '*' Currently Used

I dont have any * in the server?? maybe its not connected?

For any ips the rules correct its matching for another ips no

soporteseguridad · ‎09-30-2013

Why UserID is detecting some users and another NO

admin@FW1(active)> show user ip-user-mapping ip 10.34.20.31

IP address: 10.34.20.31 (vsys1)

User: unknown

From: Unknown

Idle Timeout: 2s

Max. TTL: 5s

Groups that the user belongs to (used in policy)

admin@FW1(active)> show user ip-user-mapping ip 10.34.20.32

IP address: 10.34.20.32 (vsys1)

User: acan\vgri

From: UIA

Idle Timeout: 2506s

Max. TTL: 2506s

Groups that the user belongs to (used in policy)

Group(s): acan\domain users

shasnain · ‎09-30-2013

Hi,

Do you have WMI probing enabled? Also are these windows user or mac users? Also do you see the mapping for these users on the agent or not?

Thanks,

Syed R Hasnain

mbutt · ‎09-30-2013

Following doc on page 8 explains how to troubleshoot for "unknown or no users in the traffic logs.

https://live.paloaltonetworks.com/docs/DOC-5662

Hope this helps your resolve the issue.

Thank you

Numan

soporteseguridad · ‎09-30-2013

Everything was working in 5.0.3.........but anything changed in 5.0.6.

where can i check if WMI is enabled????

Phoenix · ‎10-01-2013

Hello,

If you can share a screenshot of the security rules here we will be happy to give more details.

> Security rules try to match each parameter to match the rule and hit. If any one is missing or not matching it goes down to more generic rules.

> My suggestion would be to see if all the parameters are matching in security rule. Many times it may happen that the user id is not identified for the user and hence rule is not matched and goes to the bottom rule.

Here are some commands to share details:

" show user ip-user-mapping ip <ipaddress>"

Provides details of the username to IP mapping. Groups binded to this user name.

"show user user-IDs match-user <username>"

This command would try to pull the details about the username.

If there is no proper mapping for username/ip address and the security rules has the username defined then the security is rule is not matched.

Now to just test, if you remove the usernames in security rule and pass traffic and if it hits the right rule then we have the answer that the user id was not matching.

Hope the info helps. !

shasnain · ‎10-01-2013

Hi,

Below is the snap shot where you would see if the WMI probing is enabled or not on the user id agent.

Thanks,

Syed R Hasnain

soporteseguridad · ‎10-01-2013

we had a user who did not appear in the userid (WCHE) adn i did show user ip-user-mapping ip 10.34.4.34 and the user did appear or it was a unknown, the user suddenly appeared and we have not done anything. We still have other users who are still missing in the UserID and they are log in the domain. Ive attached several screenshot about the user.

I dont whink Client probing needs to be enabled. USerID worked perfect in 5.0.3 version, we migrated to 5.0.6 and the problems started.....

Unlock your full community experience!

Security Rules dont match propertly

Security Rules dont match propertly

Show your appreciation!