12-16-2020 02:55 AM - edited 12-16-2020 07:39 AM
Hello everyone,
we're using a VM300. I've recently set up 2 VPN tunnels, ike1 and ikev2. Tunnels come up successfully, but no user-ID is being transmitted and apps are not being discovered properly.
We also have another site connected via MPLS where everything works fine.
User-ID has been enabled on the zone where the tunnels are connected to.
Any hints and ideas what I am missing?
12-16-2020 05:45 AM
Good Morning
So I am a little confused about expectations and what you described.
First, User ID is NOT transmitted, it is received from your local FW, when a Src Addr communicates.
So I do not believe we are "transmitting" UserID to the remote side.
I am not sure I understand the connection between no UserID and applications detection.
Are you stating the zero applications are seen across your VPN? That does seem strange.
Perhaps you can do more into detail on this aspect.
I think the feature you need to enable (if I understand correctly) is User ID redistribution.
12-16-2020 05:45 AM
what mechanism are you using to match incoming IP addresses to user-id ? (are incoming user connections logging in via an account on the local AD. is Captive Portal set up? )
and what are you seeing in regards to apps not being identified correctly?
12-16-2020 05:49 AM
Hi @JoschkaKruse ,
Lets make it clear user-ID has nothing to do with app-ID, so lets separate the two issues.
User-ID:
Enabling user-ID on the IPsec tunnel zone will only tell the firewall to look for user-to-ip mapping for the source IPs that are received from that zone. You still need to have the "user-to-ip" mapping information from somewhere. If you say you are using Agentless I guess you are using Server Monitor and firewall is looking at the Active Directly security logs for logon events. Can you confirm that AD you are monitoring have logon events for the users in the remote network? Are these users use the same AD?
I cannot think of any reason why IPsec tunnel will behave differently from any other interface on the firewall. So I will abstract from the fact that it is IPsec tunnel, and look if the AD that FW is monitoring actually have information for IP network behind the tunnel.
Application-ID:
Again - no reason why IPsec tunnel will behave differently from any other interface on the firewall. In addition FW will always try to identify the traffic that is processing, no matter if you use apps in the security rulebase or not. Can you explain a bit more what do you mean by "apps are not being dicovered properly"? What is firewall reporting and what do you expect to be reporting?
12-16-2020 08:42 AM
I'm pretty new to Palo and firewalling, so sorry for the lack of info I gave you 😞
We're using a UIA and terminal server agent. Sorry for the faulty info.
Thanks for all your responses so far. Just figured it out I guess 🙂
App-id for internal traffic worked properly.
Same with user-id somehow.
Maybe I had a faulty client for my tests yesterday.
So my only issue seemed to be the app-id.
I saw that all external requests ended up as incomplete and NAT destination port as 0.
So what I missed was, to add the VPN zone to the hide NAT rule. After that, appid was recognized immediately. 🙂
The only thing I'm wondering about is the fact that the user-id gets lost after a longer period of inactivity on the client in the VPN network. Maybe that's cause of the cache settings configured for the user-id?
12-16-2020 09:57 AM
User-ID information will age-out unless your are actively receiving additional logs for that user or you have enabled probing. You can either adjust that so it holds onto the mapping longer, add additional sources to be monitored such as Exchange, or setup probing. What is your timeout value currently set to?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
