user-ID cache timeout vs idle timeout on firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

user-ID cache timeout vs idle timeout on firewall

L3 Networker

Hi 

 

1- On firewall, what is the different between cache timeout value (1 hour that cannot be configure) and idle timeout value (which is equal to user-ID agent timeout value)? 

3- if idle timeout value is 480 minutes (8 hours) then what will happen to user-IP mapping after  one hour in firewall?

2- Also what events reset both timers?

3- Also I notice when user is login to machine but locked the machine then on user-id agent, it is showing correct username to IP mapping BUT in firewall, it is showing machine name with '$' sign. Once user again unlock and login then on user-id agent still correct username to IP mapping BUT in firewall, it is also now showing correct username to IP mapping. Can someone explain this to me?

 

192.168.44.100   vsys1   UIA   my-domain\windows7$           28471     28471 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

hi @faizankhurshid !

 

1. so the firewall gets user information from the user-ID agent and sets it to a idle timeout of 1 hour. after an hour it will check with the User-ID agent to make sure the user still has a mapping (the UIA is the authority) and if so, refresh the mapping

 

eh.. 3.1: see 1., the firewall queries the UserID agent to ensure the mapping isa still good, if the UIA still has 7 hours left, mapping is refreshed on the firewall

 

2. if they happen to timeout at exactly the same time, the mapping will simply dissapear until a new event creates a new mapping. if the agent times out first, it will dsend a delete message to the firewall and the mapping will be removed before it reaches idle. if the firewall times out first, it will query the uidagent and refresh the mapping, then will receive a delete and clear the maopiing anyway when the agent clears the user

 

3.2 What version are your user-ID agents on ? do you have probing enabled ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

8 REPLIES 8

L3 Networker

@reaper can you please help me for point 3 specially 

Cyber Elite
Cyber Elite

hi @faizankhurshid !

 

1. so the firewall gets user information from the user-ID agent and sets it to a idle timeout of 1 hour. after an hour it will check with the User-ID agent to make sure the user still has a mapping (the UIA is the authority) and if so, refresh the mapping

 

eh.. 3.1: see 1., the firewall queries the UserID agent to ensure the mapping isa still good, if the UIA still has 7 hours left, mapping is refreshed on the firewall

 

2. if they happen to timeout at exactly the same time, the mapping will simply dissapear until a new event creates a new mapping. if the agent times out first, it will dsend a delete message to the firewall and the mapping will be removed before it reaches idle. if the firewall times out first, it will query the uidagent and refresh the mapping, then will receive a delete and clear the maopiing anyway when the agent clears the user

 

3.2 What version are your user-ID agents on ? do you have probing enabled ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper thanks for the crystal clear explaination. I doubled check on agent and there is no netbios and wmi probing enabled. I am using 8.1.0-66. When the user login, firewall is showing correct mapping maximum for some seconds and then it keeping showing "domain-name/computer-name$" and policies are stopped working based on that user-ID

 

 

hm

 

Did you configure agentless on the firewall perhaps (with probing)? 

You may want to reach out to support to have them take a closer look, other than probing there's no explanation I can provide at this time

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I'm also seeing machine accounts in the log instead of user in the log from time to time.

 

Using UID-agent 8.0.4-5. No probing.

@superture, hi.

 

can i just ask, are you seeing these entries on the user-id agent log. Or jus on the PA.

Hi there

Both

Question:

 

@reaper thanks for the crystal clear explaination. I doubled check on agent and there is no netbios and wmi probing enabled. I am using 8.1.0-66. When the user login, firewall is showing correct mapping maximum for some seconds and then it keeping showing "domain-name/computer-name$" and policies are stopped working based on that user-ID

 

Answer:

This is an issue with user ID agent 8.1.0-66 and would request you to open a support case and refer to Palo Alto internal issue number WINAGENT-314

 

Regards

Khan

  • 1 accepted solution
  • 7742 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!