Source user missing from log

Reply
Highlighted
L3 Networker

Source user missing from log

I have user mapping configured under user identification to monitor my AD servers - which are showing as 'connected'. My trust zone has user-id enabled. My globalprotect clients are in the trust zone. Their 'source user' correctly shows in the traffic log.  However none of the other networks in my trust zone list a source user in their log entries. Why might it be that one network (globalprotect) lists user-id in traffic but the other networks do not?

Highlighted
L1 Bithead

hi @JimMcGrady 

 

this means the AD connection is not pulling in any username information (globalprotect is a different mechanism entirely), so first place to check is if you enabled audit logging on the AD and user logins are being logged, then check if the user account you set up for user-id has appropriate access to read those logs (event-log-reader)

 

hope this helps

Highlighted
L3 Networker

The AD servers appear to be connected:

show user server-monitor statistics

Directory Servers:
Name TYPE Host Vsys Status
-----------------------------------------------------------------------------
pdcpvads01.corp.int AD pdcpvads01.corp.int vsys1 Connected
pdcpvads02.corp.int AD pdcpvads02.corp.int vsys1 Connected

 

Queries to these servers dont report failures:

 

show user server-monitor state all

 

Server: pdcpvads01.corp.int(vsys: vsys1)
Host: pdcpvads01.corp.int
num of log query made : 2755
num of log query failed : 0
num of log read : 3132630
last record timestamp : 1595303559
last record time : 20200721035239.595407-000

 

Server: pdcpvads02.corp.int(vsys: vsys1)
Host: pdcpvads02.corp.int
num of log query made : 2772
num of log query failed : 1
num of log read : 1410103
last record timestamp : 1595303701
last record time : 20200721035501.975727-000

 

User mappings is correct for GP clients (172.30.x.x) but shows unknown for everything else

show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------------------- ------- -------------------------------- -------------- -------------
172.30.4.137 vsys1 GP corp\306271 13344 13344
10.75.123.36 vsys1 Unknown unknown 3 6
10.21.166.30 vsys1 Unknown unknown 1 4

 

Are there other commands i should use to investigate?

Highlighted
L3 Networker

Under device - user identification - group mapping settings - i can see AD being queried successfully. These objects are successfully being used in policy rules which restrict traffic according to user id

JimMcGrady_0-1595304789822.png

 

However, when viewing the user mapping, anything other than GP (172.30) is listed as unknown:

 

show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------------------- ------- -------------------------------- -------------- -------------
172.30.4.137 vsys1 GP corp\306271 13344 13344
172.30.4.233 vsys1 UIA corp\m062636 1876 1876
10.21.223.36 vsys1 Unknown unknown 3 6
172.30.4.120 vsys1 UIA corp\306976 2617 2617
10.21.166.30 vsys1 Unknown unknown 1 4

 

What else should i check?

Highlighted
L7 Applicator

the group mapping is only used to extract group information from the active directory, and list the usernames that are in the group. it does not extract user to ip mapping

 

for this you would need to install a user-id agent on your active directory, or fill out the information in the server profile (first tab in your screenshot) so the firewall can actively retrieve log information from your AD audit log 

 

 

reaper - PANgurus.com
Find my book at https://www.amazon.com/dp/1789956374
Tags (1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!