- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-27-2018 02:14 PM
Hi
1- On firewall, what is the different between cache timeout value (1 hour that cannot be configure) and idle timeout value (which is equal to user-ID agent timeout value)?
3- if idle timeout value is 480 minutes (8 hours) then what will happen to user-IP mapping after one hour in firewall?
2- Also what events reset both timers?
3- Also I notice when user is login to machine but locked the machine then on user-id agent, it is showing correct username to IP mapping BUT in firewall, it is showing machine name with '$' sign. Once user again unlock and login then on user-id agent still correct username to IP mapping BUT in firewall, it is also now showing correct username to IP mapping. Can someone explain this to me?
192.168.44.100 vsys1 UIA my-domain\windows7$ 28471 28471
03-28-2018 01:56 AM
hi @faizankhurshid !
1. so the firewall gets user information from the user-ID agent and sets it to a idle timeout of 1 hour. after an hour it will check with the User-ID agent to make sure the user still has a mapping (the UIA is the authority) and if so, refresh the mapping
eh.. 3.1: see 1., the firewall queries the UserID agent to ensure the mapping isa still good, if the UIA still has 7 hours left, mapping is refreshed on the firewall
2. if they happen to timeout at exactly the same time, the mapping will simply dissapear until a new event creates a new mapping. if the agent times out first, it will dsend a delete message to the firewall and the mapping will be removed before it reaches idle. if the firewall times out first, it will query the uidagent and refresh the mapping, then will receive a delete and clear the maopiing anyway when the agent clears the user
3.2 What version are your user-ID agents on ? do you have probing enabled ?
03-28-2018 12:28 AM
@reaper can you please help me for point 3 specially
03-28-2018 01:56 AM
hi @faizankhurshid !
1. so the firewall gets user information from the user-ID agent and sets it to a idle timeout of 1 hour. after an hour it will check with the User-ID agent to make sure the user still has a mapping (the UIA is the authority) and if so, refresh the mapping
eh.. 3.1: see 1., the firewall queries the UserID agent to ensure the mapping isa still good, if the UIA still has 7 hours left, mapping is refreshed on the firewall
2. if they happen to timeout at exactly the same time, the mapping will simply dissapear until a new event creates a new mapping. if the agent times out first, it will dsend a delete message to the firewall and the mapping will be removed before it reaches idle. if the firewall times out first, it will query the uidagent and refresh the mapping, then will receive a delete and clear the maopiing anyway when the agent clears the user
3.2 What version are your user-ID agents on ? do you have probing enabled ?
03-28-2018 04:38 AM
@reaper thanks for the crystal clear explaination. I doubled check on agent and there is no netbios and wmi probing enabled. I am using 8.1.0-66. When the user login, firewall is showing correct mapping maximum for some seconds and then it keeping showing "domain-name/computer-name$" and policies are stopped working based on that user-ID
03-28-2018 05:06 AM
hm
Did you configure agentless on the firewall perhaps (with probing)?
You may want to reach out to support to have them take a closer look, other than probing there's no explanation I can provide at this time
03-28-2018 07:35 AM
I'm also seeing machine accounts in the log instead of user in the log from time to time.
Using UID-agent 8.0.4-5. No probing.
03-28-2018 11:00 PM
@superture, hi.
can i just ask, are you seeing these entries on the user-id agent log. Or jus on the PA.
04-20-2018 02:53 PM - edited 04-20-2018 02:54 PM
Question:
@reaper thanks for the crystal clear explaination. I doubled check on agent and there is no netbios and wmi probing enabled. I am using 8.1.0-66. When the user login, firewall is showing correct mapping maximum for some seconds and then it keeping showing "domain-name/computer-name$" and policies are stopped working based on that user-ID
Answer:
This is an issue with user ID agent 8.1.0-66 and would request you to open a support case and refer to Palo Alto internal issue number WINAGENT-314
Regards
Khan
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!