User-ID Agentless question

Reply
L4 Transporter

User-ID Agentless question

Is there a reason why with Agentless User-ID I still never see any logs in Monitor? As shown below it definitaely is working but traffice logs do not sohw user-ids. I have a any any policy and user-id  box is checked on  the zones. ANy ideas? I ahve agent on a 2012 server I do see in logs ia se failed to connecr to LDAP but def its working from output

 

 

dmin@PALO-TIA-03P vsys4(active-primary)> show user ip-user-mapping-mp all

IP Vsys From User Timeout (sec)
--------------- ------ ------- -------------------------------- ----------------
10.64.21.84 vsys4 UIA ad\rivea 880
10.1.97.119 vsys4 UIA ad\miche 611
10.64.19.66 vsys4 UIA ad\mclaugm 1215
10.64.42.65 vsys4 UIA ad\treeced 265
10.64.42.104 vsys4 UIA ad\kopitsc 1045
10.148.2.216 vsys4 UIA ad\mumphre 652
10.84.2.50 vsys4 UIA ad\bursono 981
10.64.46.156 vsys4 UIA ad\xueli 977

L5 Sessionator

Run the command "show session all filter source <ip>"  it will show session id now run the command "show session id <id>" now check if there is user name in the output or not. Might be you are not logging the traffic.

 

Filter the logs with the help of ip address and check if you have logs or not. Try removing the servers and do a commit and then add the server and do a commit and check if that helps or not.

L5 Sessionator

Did you enable User-ID on apropriate security zone(s)?

 

L2 Linker

Ensure that the Monitor tab has the "Source User" column. Additionally I found that restarting the userID deamon helped me with a few problems:

> debug software restart process user-id core yes

 

Restarting the management plane helped me as well (this will not affect normal traffic):

> debug software restart process management-server

 

You can also follow the user-id log for more info.

 

> tail follow yes mp-log useridd.log

L7 Applicator

only use the "core yes" toggle if instructed to do so by TAC as this will create a core file

the core file can be used by support if they need to investigate an issue with a process, but generating a core when not needed will take up unnecessary disk space
core files are not automatically pruned to conserve debug data in case a process were to crash, this also means if there have been enough unsolicited core files created, there may not be enough space if an actual core were to happen


you can clear out old core files with the command > delete core-file
Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
L4 Transporter

Tried all these recommnedations and the User- Agent  Monitor  tab  still I show only2  IPs which is the IP of the firewall and the IP of my actual PC. I still never see any user that are showing logged under cli comning in on the agent. I have pretty much read evey article that esist on PA and User -ID set to no avail. So Im going presume that my issue is maybe log rellated on server itself. Apprently Im suppose to see below type responses from Agent logs which I never do.

  • 4768 (Authentication Ticket Granted)
  • 4769 (Service Ticket Granted)
  • 4770 (Ticket Granted Renewed)
  • 4624 (Logon Success)
L7 Applicator

Hi Clyde

 

if you open the Windows event viewer, do these event ID's ever show up?

you may need to enable success auditing in the domain security settings: 2016-05-12_15-18-15.jpg

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
L4 Transporter

For screenshot below I do have the first option shows  as "Success" but the other options do not ubder Audit features. Do I need on some of the the other options as well like audit lohon events?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!