05-26-2017 11:33 AM
My problem is the Source User in Monitor > Logs > Traffic & Threat don't show for all users. All other columns including Source and Destination IP are displayed properly. The unshown users can be from trusted lan/wlan/vpn zones and is going to trusted lan or untrusted wan zones. The application they run can be ssl, facebook or dns...
The f/w model is PA-3020, ver 7.0.10. Windows User-ID-Agent is ver. 8.0.2-20, implemented on a domain server and running and connected to 2 domain controllers. All configs for the part of Windows User-ID Agent in this post (https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-User-ID/ta-p/69321) are checked and confirmed. Our desktops are most Win 7 and a few MACs. All laptops are Win 7 with a few Surface Pro running Win 10.
Anyone has an idea what configs are missed?
05-26-2017 11:41 AM
forgot to mention, all users computers have an older version 2.x GlobalProtect installed and run on startup.
05-26-2017 12:34 PM
Did you check the "destination user" column in the threat log? Is this column also empty in your logs?
The reason that in threat log your users are probably shown as destination users is because when paloalto blocks a threat or an exploit on a website the source of the attack is not your internal user. In this case your user is the destination user. Or even better in case of threats it is not dst and src users, it is attacker and victim.
-->
05-26-2017 05:36 PM
Thanks for your clarification. It's my fault mixing up the names in 2 different logs. In Threat log, the Victim column shows IP without problems but a few attackers (from internal trusted zones) don't show their names in Attacker Name column.
Compared to the Threat log, Traffic log has a lot more unshown names.
05-26-2017 11:49 PM
05-31-2017 09:32 AM
Yes. I do have I guess >50% usernames shown in Traffic log. The ones don't show are Win 7 or Mac OS desktops (I haven't checked the Win 10 yet because only a few Surf Pro have Win 10 installed).
The User-ID Agents is connected (green dot) and running. The usernames from the installed Agent program matches those shown in Traffic log, but the number of actual connected users are much more.
My colleague tried to push the newer version of GP through fw to all client machines but failed so we stay with the old one before we test it out. I was thinking the same but it doesn't make sense why the desktops are affected. Desktops don't have GP installed and connect to the internal network with CAT 5e.
Thanks for your suggestions. I will try updating GP and maybe it'd help with some of the usernames display issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
