Timeout value of user-ID log

Reply
Highlighted
L1 Bithead

Timeout value of user-ID log

 

We are using ldap authentication and globalprotect.


image.png

In the above picture, the timeout value continues to be 2592000 and 0

 

time out 2952000 and 0 , what does that mean?

 

Why does it look like above?

 

Please let me know.

 

 

 

 

 

 

Highlighted
L2 Linker

Hello jskang,

 

The Timeout value is officially defined as "Timeout after which the IP/User Mappings are cleared." in this document: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/use-syslog-for-monitoring...

 

With that in mind, what should be happening is that your users authenticate to GP or any other source (AD, captive-portal, etc.) and authenticate at that time and this user-id log entry shows a Timeout value. 

However, due to the logs attempting to show everything related to user-id, you'll also see any refresh times or secondary authentication attempts, etc. but these will NOT have their own Timeout value, only refresh the original Timeout for the actual mapping.

 

In the case of active-directory mappings, you'll also see the original mapping and then a few times where the Source Name shows up as "probing", and this also has a Timeout of 0, but that's because it also is refreshing the original mapping and doesn't have a timeout of its own

 

Basically what you're seeing is the user-id log mapping every bit of information it gets because that's its job, not because that was a genuine mapping at that time. It likely was assisting the original mapping, but how could you troubleshoot the refreshes/probings if you don't see them on the user-id log?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!