User ID Anomalies

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User ID Anomalies

L3 Networker

Hi,

 

I had a strange behaviour with some user on user ID. We have 2 site A and B and our firewall have the mapping from the same agent.

 

we found that user1 access site A and user2 access site B.

issue that we found that user1 is access site B using the user2 IP.

DennyChanditya_0-1729151292634.png

 

We check on each site the mapping is fine, but we dont find the user1 mapping to IP user2 on all firewall.

DennyChanditya_1-1729151338014.png

 

we check on User ID logs GUI and CLI it dont have any history about user1 was mapping to IP that user2 is using.

 

Any clue where i can find this data related to user id mapping, because i was use all the CLI command but didn't find the information that user1 was mapping to IP user2.

 

Thanks before.

 

5 REPLIES 5

Cyber Elite
Cyber Elite

@DennyChanditya,

Looks like you're using XFF for mapping which complicates things. You might want to spend some time with https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/identify-users-connected-through-a... more specifically https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/identify-users-connected-through-a... mentioned on that page. 

We are not using XFF Configuration, only user ID from the agent, issue here we didnt find the mapping for specific user on user-id logs even no history about it. but on traffic log it shows the IP is  used by that source user

L3 Networker

Still not getting update until now, already opencase

we found that in one session, it was different logs from Traffic log GUI and CLI
from GUI it was incorrect mapping ip and user, but in CLI it was correct mapping for ip and user.

 

userid agent and user id logs is fine, they have the right mapping, but only in the traffic logs

What code are you running? We ran into an issue where ID mapping wasn't correct on 3410s running 10.2.7, it was identified as PAN-239366.  Maybe you're hitting this bug?  A reboot of firewalls was needed to get the mapping to show correctly.  There was also a debug command which could be ran in-lieu-of the reboot, but my suggestion is to confirm with TAC your issue could be related to this bug.  If it is they can also provide a work around.

 

I think 10.2.10-h4 fixes this bug, TAC can also confirm this.

Im usngi PA5220, with 10.2.9-h1, as the last activity we do the restart log-receiver on the firewall as per TAC said.

still dont know what cause this, but so far the uid agent mapping and users on log traffic is correct.

 

we still monitoring until now, because we found out that the traffic  log from GUI and CLI is different for showing the source users.

  • 695 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!