This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Timeout value of user-ID log

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Timeout value of user-ID log

jskang
L1 Bithead

‎01-31-2018 09:37 PM - edited ‎01-31-2018 09:38 PM

 

We are using ldap authentication and globalprotect.


image.png

In the above picture, the timeout value continues to be 2592000 and 0

 

time out 2952000 and 0 , what does that mean?

 

Why does it look like above?

 

Please let me know.

 

 

 

 

 

 

1 person had this problem.
0 Likes Likes
1 REPLY 1

cperratore
L2 Linker

‎03-25-2018 07:54 AM - edited ‎03-25-2018 07:59 AM

Hello jskang,

 

The Timeout value is officially defined as "Timeout after which the IP/User Mappings are cleared." in this document: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/use-syslog-for-monitoring...

 

With that in mind, what should be happening is that your users authenticate to GP or any other source (AD, captive-portal, etc.) and authenticate at that time and this user-id log entry shows a Timeout value. 

However, due to the logs attempting to show everything related to user-id, you'll also see any refresh times or secondary authentication attempts, etc. but these will NOT have their own Timeout value, only refresh the original Timeout for the actual mapping.

 

In the case of active-directory mappings, you'll also see the original mapping and then a few times where the Source Name shows up as "probing", and this also has a Timeout of 0, but that's because it also is refreshing the original mapping and doesn't have a timeout of its own

 

Basically what you're seeing is the user-id log mapping every bit of information it gets because that's its job, not because that was a genuine mapping at that time. It likely was assisting the original mapping, but how could you troubleshoot the refreshes/probings if you don't see them on the user-id log?

0 Likes Likes
  • 3544 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks