Is there a reason why with Agentless User-ID I still never see any logs in Monitor? As shown below it definitaely is working but traffice logs do not sohw user-ids. I have a any any policy and user-id box is checked on the zones. ANy ideas? I ahve agent on a 2012 server I do see in logs ia se failed to connecr to LDAP but def its working from output
dmin@PALO-TIA-03P vsys4(active-primary)> show user ip-user-mapping-mp all
IP Vsys From User Timeout (sec)
--------------- ------ ------- -------------------------------- ----------------
10.64.21.84 vsys4 UIA ad\rivea 880
10.1.97.119 vsys4 UIA ad\miche 611
10.64.19.66 vsys4 UIA ad\mclaugm 1215
10.64.42.65 vsys4 UIA ad\treeced 265
10.64.42.104 vsys4 UIA ad\kopitsc 1045
10.148.2.216 vsys4 UIA ad\mumphre 652
10.84.2.50 vsys4 UIA ad\bursono 981
10.64.46.156 vsys4 UIA ad\xueli 977
Run the command "show session all filter source <ip>" it will show session id now run the command "show session id <id>" now check if there is user name in the output or not. Might be you are not logging the traffic.
Filter the logs with the help of ip address and check if you have logs or not. Try removing the servers and do a commit and then add the server and do a commit and check if that helps or not.
Ensure that the Monitor tab has the "Source User" column. Additionally I found that restarting the userID deamon helped me with a few problems:
> debug software restart process user-id core yes
Restarting the management plane helped me as well (this will not affect normal traffic):
> debug software restart process management-server
You can also follow the user-id log for more info.
> tail follow yes mp-log useridd.log
Tried all these recommnedations and the User- Agent Monitor tab still I show only2 IPs which is the IP of the firewall and the IP of my actual PC. I still never see any user that are showing logged under cli comning in on the agent. I have pretty much read evey article that esist on PA and User -ID set to no avail. So Im going presume that my issue is maybe log rellated on server itself. Apprently Im suppose to see below type responses from Agent logs which I never do.
if you open the Windows event viewer, do these event ID's ever show up?
you may need to enable success auditing in the domain security settings:
For screenshot below I do have the first option shows as "Success" but the other options do not ubder Audit features. Do I need on some of the the other options as well like audit lohon events?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!