User-ID Help

Reply
JonHill
L1 Bithead

User-ID Help

In recent weeks we've had a problem reported where one minute a site will be accessible for instance Youtube and then it won't be and then it will and it goes on, after looking in the logs when  the connection to Youtube fails is when the log show no USER-ID when it works it shows a local USER-ID. We use an AD group for access to general internet and have this configured on the corresponding rule.

 

I've tried troubleshooting looking at various knowledgbase articles but haven't found any reason why sometimes USER-ID's are correct and and sites can be accessed and then othertimes they can't its also not happeing for all sites accessed at the sametime it may not work for Youtube but it will work for Google.

 

Can anyone give me any ideas why this might be happeneing?

Thanks

Jon

 

 

kenvizena
L0 Member

Can you provide more information? 

What version of PanOS?

Are you using samaccountname and userprincipalname? 

 

Do you have the user-id agent parsing every single sec-event-log on every DC?

Do you have "enable user-id" on for every internal zone? 

Do you use Terminal Services? If so do you have that agent in that environment as well? 

Are you using the same SPG for all rules or do you have multiple SPG's? Depending on your environment you can have one source subnet hitting a different policy /w a different SPG and URL filter if configured. 

 

I have seen issues where a person is using a cached authentication in Windows when not connected to work via VPN and then attempts access which fails with the same type of error.  

 

For testing I would use sites that are not super-trackers to see if the issue is as simple as all internal zones having user-id enabled. I would also check to see when it fails from the command line what it shows. 

 

> show user ip-user-mapping all | match ken

 

IP VSYS Source user idletimeout maxtimeout

10.10.10.10 vsys1 UIA ken 2715 2715

 

Can the firewall get the updated ldap group membership?

 

> show user group list

cn=blah.blah.f00

 

> show user group name cn=blah.blah.f00

 

>show user group-mapping state f00

Servers : configured 2 servers

Last Action Time: 336 secs ago(took 12 secs)
Next Action Time: In 3264 secs

JonHill
L1 Bithead

Apologies for not replying sooner its been manic here and this is the first chance I’ve got to reply to your questions.

 

Thanks

 

Jon

 

What version of PanOS?                       9.08

Are you using samaccountname and userprincipalname?  Just samaccountname

 

Do you have the user-id agent parsing every single sec-event-log on every DC?               Yes

Do you have "enable user-id" on for every internal zone?     No, just our two Trust zones, WAN and Internet.

Do you use Terminal Services? If so do you have that agent in that environment as well? We don’t use Terminal Services in our environment but do use VDI.

Are you using the same SPG for all rules or do you have multiple SPG's? Depending on your environment you can have one source subnet hitting a different policy /w a different SPG and URL filter if configured. 

 

I have seen issues where a person is using a cached authentication in Windows when not connected to work via VPN and then attempts access which fails with the same type of error.  

 

For testing I would use sites that are not super-trackers to see if the issue is as simple as all internal zones having user-id enabled. I would also check to see when it fails from the command line what it shows. 

 

> show user ip-user-mapping all | match ken

jhill@PHMDP01_PAN5250(active)> show user ip-user-mapping all | match jhill

10.170.38.229                                 vsys1               UIA     ulh\jhill                        867            867

10.130.239.12                                 vsys1               UIA     ulh\jhill                        868            868 

 

Can the firewall get the updated ldap group membership?

 Yes it can.

> show user group list

cn=blah.blah.f00

 

> show user group name cn=blah.blah.f00

 It pulls back all the users in a group

>show user group-mapping state

Servers    : configured 4 servers

             

BPry
Cyber Elite

@JonHill,

So first thing to look at is actually your User Identification Timeout value is. Usually with issues like this the entry is simply aging off because activity isn't being recorded in the AD logs within the specified timeout value, so the firewall allows the ip-user-mapping to age off because it hasn't seen any user-id activity in the allotted timeframe. 

JonHill
L1 Bithead

Currently the Cache Timeout is set at 15 mins, I've read a couple of articles that this should be a lot higher and ideally half the DHCP refresh. I've also seen other articles that say if you're not using client probing it should be set at 600.
Server log monitor is set at 2s and session read frequency is set at 10s.
Any recommendations as to what these timers should be set at would be great?
Thanks

Jon



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!