This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Traffic Logs show 2 different source users from same IP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Traffic Logs show 2 different source users from same IP

emarschang
L1 Bithead

‎04-19-2022 11:48 AM

We are using User Identification and have the user-id agent running on 2 different AD servers.  Also using global protect.  When looking at traffic logs I can filter on my GlobalProtect VPN IP, I can see the source user of my user account, and a source user of another account.  When looking user-id mappings, and look at my VPN IP, I only see my user account.  Any idea what would be causing this?image.pngimage.png

0 Likes Likes
7 REPLIES 7

vsys_remo
Cyber Elite
Cyber Elite

‎04-19-2022 01:19 PM

Hi @emarschang 

Did you really hit enter for the search query in the first screenshot?

As there are 2 hours between the logs in these screenshots it might be possible that the other user disconnected and global protect assigned then this IP to you. At least this is an explanation. If you provide some more logs like the global protect logs we might be able to find the actual reason.

0 Likes Likes

emarschang
L1 Bithead
In response to vsys_remo

‎04-20-2022 01:47 PM

Sorry for the confusion there on the timestamps.  Next time I catch this happening, ill will try to grab the relative logs/time stamps.

emarschang
L1 Bithead

‎04-28-2022 12:26 PM

I finally was able to get some fresh screen shots.  I got a screen shots from the traffic log, user-id log, and url filter log.  I think we can take the global protect out of the equation.  This is happening to internal users as well.  In this example, end user tried to go to you tube, got a blocked page, but it showed his username as the manadmin user.  Not his user account. TrafficLogs-SourceUsers-SameIP.pngURLFilter-SourceUsers-SameIP.pngUserID-SameIPs.png

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎04-29-2022 02:37 PM

Hello,

What is the timeout setting for your user-id settings? Also what are you using for user-id to perform the mapping, active directory logs, etc.?

Regards,

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks