07-29-2024 01:16 AM
Hi everyone,
Greetings!
PA-1410
11.0.4-h1
I have a bit odd issue, the traffic log (ip address) is showing a local firewall account as the source user but when checking the user-mapping (show user ip-user-mapping ip) or User-ID log was mapped to an AD-user.
Is it possible for the local firewall account to show as a source user?
is it possible that this is just a GUI bug?
deleted the local firewall account and seems to have the issue fixed.
07-31-2024 11:09 AM
Hi @EdmarFrancis ,
Since deleting the local fw fixed the issue, it could be a User-ID cache issue. You can try running a command like "clear user-cache all" next time to see if it fixes the issue. The User-ID cache on the fw might have had stale or incorrect entries, causing the local firewall account to be shown in the traffic log.
07-31-2024 10:09 PM
Hi @JayGolf , thanks for your response. did try to delete the cache (clear user-cache ip xx.xx) but same. It seems to be legitimate traffic.
Per my understanding the local firewall user is able to show as source user when for example used to authenticate to GlobalProtect app or Captive portal, is that right?
08-06-2024 08:30 AM
@EdmarFrancis wrote:
Hi everyone,
Greetings!
PA-1410
11.0.4-h1
I have a bit odd issue, the traffic log (ip address) is showing a local firewall account as the source user but when checking the user-mapping (show user ip-user-mapping ip) or User-ID log was mapped to an AD-user.
Is it possible for the local firewall account to show as a source user?
is it possible that this is just a GUI bug?
deleted the local firewall account and seems to have the issue fixed.
@EdmarFrancis I know you mentioned deleting a user fixed your issue, but i have hit a user ID bug where the IP to user-id mapping was wrong. It was identified as PAN-239366 which is fixed in these versions: "11.2.0, 11.1.3, 10.2.10, 10.2.11, 11.1.5, 10.2.4-h19, 12.1.0, 10.2.9-h9" (List I got from TAC, that said they didn't indicate an 11.0.X version which seems weird.)
There is a work around for this, which is to restart both firewalls (obviously very intrusive) or running this command "debug software restart process log-receiver." I'm not certain of the impact of that restart command, so I would advise reaching out to TAC to confirm if you're hitting this bug or run the command in a maintenance window.
08-07-2024 12:08 AM
@Brandon_Wertz appreciate you sharing information.
For your issue, is the user that is wrongly mapped both an AD user?
Since in my case, it is a local firewall user.
08-07-2024 05:57 AM
@EdmarFrancis wrote:
@Brandon_Wertz appreciate you sharing information.
For your issue, is the user that is wrongly mapped both an AD user?
Since in my case, it is a local firewall user.
It was an AD mapped user (Both were AD mapped.) I'm honestly not sure if this bug could be matched to local user account.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
