Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience.
07-16-2020 12:44 AM
I have user mapping configured under user identification to monitor my AD servers - which are showing as 'connected'. My trust zone has user-id enabled. My globalprotect clients are in the trust zone. Their 'source user' correctly shows in the traffic log. However none of the other networks in my trust zone list a source user in their log entries. Why might it be that one network (globalprotect) lists user-id in traffic but the other networks do not?
07-16-2020 04:55 AM
hi @JimMcGrady
this means the AD connection is not pulling in any username information (globalprotect is a different mechanism entirely), so first place to check is if you enabled audit logging on the AD and user logins are being logged, then check if the user account you set up for user-id has appropriate access to read those logs (event-log-reader)
hope this helps
07-20-2020 09:03 PM
The AD servers appear to be connected:
show user server-monitor statistics
Directory Servers:
Name TYPE Host Vsys Status
-----------------------------------------------------------------------------
pdcpvads01.corp.int AD pdcpvads01.corp.int vsys1 Connected
pdcpvads02.corp.int AD pdcpvads02.corp.int vsys1 Connected
Queries to these servers dont report failures:
show user server-monitor state all
Server: pdcpvads01.corp.int(vsys: vsys1)
Host: pdcpvads01.corp.int
num of log query made : 2755
num of log query failed : 0
num of log read : 3132630
last record timestamp : 1595303559
last record time : 20200721035239.595407-000
Server: pdcpvads02.corp.int(vsys: vsys1)
Host: pdcpvads02.corp.int
num of log query made : 2772
num of log query failed : 1
num of log read : 1410103
last record timestamp : 1595303701
last record time : 20200721035501.975727-000
User mappings is correct for GP clients (172.30.x.x) but shows unknown for everything else
show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------------------- ------- -------------------------------- -------------- -------------
172.30.4.137 vsys1 GP corp\306271 13344 13344
10.75.123.36 vsys1 Unknown unknown 3 6
10.21.166.30 vsys1 Unknown unknown 1 4
Are there other commands i should use to investigate?
07-20-2020 09:15 PM
Under device - user identification - group mapping settings - i can see AD being queried successfully. These objects are successfully being used in policy rules which restrict traffic according to user id
However, when viewing the user mapping, anything other than GP (172.30) is listed as unknown:
show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------------------- ------- -------------------------------- -------------- -------------
172.30.4.137 vsys1 GP corp\306271 13344 13344
172.30.4.233 vsys1 UIA corp\m062636 1876 1876
10.21.223.36 vsys1 Unknown unknown 3 6
172.30.4.120 vsys1 UIA corp\306976 2617 2617
10.21.166.30 vsys1 Unknown unknown 1 4
What else should i check?
07-21-2020 06:07 AM
the group mapping is only used to extract group information from the active directory, and list the usernames that are in the group. it does not extract user to ip mapping
for this you would need to install a user-id agent on your active directory, or fill out the information in the server profile (first tab in your screenshot) so the firewall can actively retrieve log information from your AD audit log
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
