This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

User ID Anomalies

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User ID Anomalies

DennyChanditya
L3 Networker

‎10-17-2024 12:46 AM - edited ‎10-17-2024 12:49 AM

Hi,

 

I had a strange behaviour with some user on user ID. We have 2 site A and B and our firewall have the mapping from the same agent.

 

we found that user1 access site A and user2 access site B.

issue that we found that user1 is access site B using the user2 IP.

DennyChanditya_0-1729151292634.png

 

We check on each site the mapping is fine, but we dont find the user1 mapping to IP user2 on all firewall.

DennyChanditya_1-1729151338014.png

 

we check on User ID logs GUI and CLI it dont have any history about user1 was mapping to IP that user2 is using.

 

Any clue where i can find this data related to user id mapping, because i was use all the CLI command but didn't find the information that user1 was mapping to IP user2.

 

Thanks before.

 

0 Likes Likes
4 REPLIES 4

BPry
Cyber Elite
Cyber Elite

‎10-17-2024 04:30 PM

@DennyChanditya,

Looks like you're using XFF for mapping which complicates things. You might want to spend some time with https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/identify-users-connected-through-a... more specifically https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/identify-users-connected-through-a... mentioned on that page. 

0 Likes Likes

DennyChanditya
L3 Networker
In response to BPry

‎10-17-2024 09:01 PM

We are not using XFF Configuration, only user ID from the agent, issue here we didnt find the mapping for specific user on user-id logs even no history about it. but on traffic log it shows the IP is  used by that source user

0 Likes Likes

DennyChanditya
L3 Networker

‎10-29-2024 08:44 PM

Still not getting update until now, already opencase

we found that in one session, it was different logs from Traffic log GUI and CLI
from GUI it was incorrect mapping ip and user, but in CLI it was correct mapping for ip and user.

 

userid agent and user id logs is fine, they have the right mapping, but only in the traffic logs

0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to DennyChanditya

‎10-30-2024 06:09 AM

What code are you running? We ran into an issue where ID mapping wasn't correct on 3410s running 10.2.7, it was identified as PAN-239366.  Maybe you're hitting this bug?  A reboot of firewalls was needed to get the mapping to show correctly.  There was also a debug command which could be ran in-lieu-of the reboot, but my suggestion is to confirm with TAC your issue could be related to this bug.  If it is they can also provide a work around.

 

I think 10.2.10-h4 fixes this bug, TAC can also confirm this.

0 Likes Likes
  • 439 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks