- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-17-2024 12:46 AM - edited 10-17-2024 12:49 AM
Hi,
I had a strange behaviour with some user on user ID. We have 2 site A and B and our firewall have the mapping from the same agent.
we found that user1 access site A and user2 access site B.
issue that we found that user1 is access site B using the user2 IP.
We check on each site the mapping is fine, but we dont find the user1 mapping to IP user2 on all firewall.
we check on User ID logs GUI and CLI it dont have any history about user1 was mapping to IP that user2 is using.
Any clue where i can find this data related to user id mapping, because i was use all the CLI command but didn't find the information that user1 was mapping to IP user2.
Thanks before.
10-17-2024 04:30 PM
Looks like you're using XFF for mapping which complicates things. You might want to spend some time with https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/identify-users-connected-through-a... more specifically https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/identify-users-connected-through-a... mentioned on that page.
10-17-2024 09:01 PM
We are not using XFF Configuration, only user ID from the agent, issue here we didnt find the mapping for specific user on user-id logs even no history about it. but on traffic log it shows the IP is used by that source user
10-29-2024 08:44 PM
Still not getting update until now, already opencase
we found that in one session, it was different logs from Traffic log GUI and CLI
from GUI it was incorrect mapping ip and user, but in CLI it was correct mapping for ip and user.
userid agent and user id logs is fine, they have the right mapping, but only in the traffic logs
10-30-2024 06:09 AM
What code are you running? We ran into an issue where ID mapping wasn't correct on 3410s running 10.2.7, it was identified as PAN-239366. Maybe you're hitting this bug? A reboot of firewalls was needed to get the mapping to show correctly. There was also a debug command which could be ran in-lieu-of the reboot, but my suggestion is to confirm with TAC your issue could be related to this bug. If it is they can also provide a work around.
I think 10.2.10-h4 fixes this bug, TAC can also confirm this.
11-19-2024 12:19 AM
Im usngi PA5220, with 10.2.9-h1, as the last activity we do the restart log-receiver on the firewall as per TAC said.
still dont know what cause this, but so far the uid agent mapping and users on log traffic is correct.
we still monitoring until now, because we found out that the traffic log from GUI and CLI is different for showing the source users.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!