Sometime is user authenticate sometime is not in Paloalto

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Sometime is user authenticate sometime is not in Paloalto

L3 Networker

Hey, guys, one of my customer have an issue regarding the Source user let me explain in detail. 

There is one user having four outlook account in three of them the internet working properly but in one account he selects in outlook and checks the internet connectivity gone and in the logs the Traffic going through a cleanup rule which is the last policy any-any deny which comes before intra inter policy.

In the Traffic logs, the source user is not displaying.

After the customer run the command gpupdate /force command on the windows command prompt. the user is able to access the internet for some time and then the issue is the same 

So the user is able to access the internet sometimes and sometimes not.

when the user is able to access the internet I checked see the source user name and going through the User base security policy rule.

I created an IP base rule but the customer was not satisfied with that solution.

so what should I check in Palo alto? or there is an authentication problem but the user is able to access from three different outlook id but not by one.

3 REPLIES 3

Cyber Elite
Cyber Elite

@FarhanKoujalgi,

Sounds like your simply running into a User-ID time-out on the firewall. I'd check what you have the time out value set to on the firewall and see if you actually expect to see more authentication events coming from that client. My guess is that you have the time-out value set relatively low and User-ID simply isn't seeing any authentication logs from this user that frequently and the user IP mapping is being cleared. You'll either need to increase the time-out value or increase the number of authentication events being generated by the endpoint.

 

Its agentlesss where should i change that timeout value. but it is for only one user.

L3 Networker

Dear @BPry 

I Checked through ssh show user IP-user-mapping for to particular user 

The one says the mismatch and the other one says unknown and after some 5 to 10 minutes I run the same IP user mapping cmd the users are shown is this any strange behaviour that sometimes user mapping shows sometimes not I checked the WMI is enable on firewall and in the server monitoring also server are 4 and connected

  • 2212 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!