Traffic log source user different from User-ID log

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Traffic log source user different from User-ID log

L3 Networker


Hi everyone,


Greetings!

PA-1410
11.0.4-h1

I have a bit odd issue, the traffic log (ip address) is showing a local firewall account as the source user but when checking the user-mapping (show user ip-user-mapping ip) or User-ID log was mapped to an AD-user.

Is it possible for the local firewall account to show as a source user?
is it possible that this is just a GUI bug?

deleted the local firewall account and seems to have the issue fixed.

5 REPLIES 5

Community Team Member

Hi @EdmarFrancis ,

 

Since deleting the local fw fixed the issue, it could be a User-ID cache issue. You can try running a command like "clear user-cache all" next time to see if it fixes the issue. The User-ID cache on the fw might have had stale or incorrect entries, causing the local firewall account to be shown in the traffic log.

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L3 Networker

Hi @JayGolf , thanks for your response. did try to delete the cache (clear user-cache ip xx.xx) but same. It seems to be legitimate traffic.
Per my understanding the local firewall user is able to show as source user when for example used to authenticate to GlobalProtect app or Captive portal, is that right?

L6 Presenter

@EdmarFrancis wrote:


Hi everyone,


Greetings!

PA-1410
11.0.4-h1

I have a bit odd issue, the traffic log (ip address) is showing a local firewall account as the source user but when checking the user-mapping (show user ip-user-mapping ip) or User-ID log was mapped to an AD-user.

Is it possible for the local firewall account to show as a source user?
is it possible that this is just a GUI bug?

deleted the local firewall account and seems to have the issue fixed.


@EdmarFrancis I know you mentioned deleting a user fixed your issue, but i have hit a user ID bug where the IP to user-id mapping was wrong.  It was identified as PAN-239366 which is fixed in these versions:  "11.2.0, 11.1.3, 10.2.10, 10.2.11, 11.1.5, 10.2.4-h19, 12.1.0, 10.2.9-h9"  (List I got from TAC, that said they didn't indicate an 11.0.X version which seems weird.)

 

There is a work around for this, which is to restart both firewalls (obviously very intrusive) or running this command "debug software restart process log-receiver."  I'm not certain of the impact of that restart command, so I would advise reaching out to TAC to confirm if you're hitting this bug or run the command in a maintenance window.

@Brandon_Wertz  appreciate you sharing information.
For your issue, is the user that is wrongly mapped both an AD user?
Since in my case, it is a local firewall user.


@EdmarFrancis wrote:

@Brandon_Wertz  appreciate you sharing information.
For your issue, is the user that is wrongly mapped both an AD user?
Since in my case, it is a local firewall user.


It was an AD mapped user (Both were AD mapped.)  I'm honestly not sure if this bug could be matched to local user account.

  • 1061 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!