User-ID: ip-user-mapping not working from LAN

Reply
Highlighted
L2 Linker

User-ID: ip-user-mapping not working from LAN

Hi all,

 

I tried to configure the User identification for our LAN zones with PAN OS 7.1.3. I have the following Environment

 

Windows 2012 R2 Server

PA-500 with 7.1.3

 

I can see more than 200 users known by the firewall

 

admin@firewall(active)> show user user-ids

User Name Vsys Groups
------------------------------------------------------------------
test.domain.com\user1 vsys1 cn=domain users,cn=users,dc=test,dc=domain,dc=com

...

...

 

I also can see the mapping of users to IP addresses for the GP Logins

admin@firewall(active)> show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------

10.xxx.xxx.xxx vsys1 GP domain\user1 9448 9448

....

but not for the Users in our LAN environemnt

192.xxx.xxx.xxx vsys1 Unknown unknown 3 6

but I can see the user I've configured for wmi-auth

10.xxx.xxx.xxx vsys1 AD domain\wmi-auth-user 1785 1785

 

I tried it with ther User ID Agent on the AD Server itself and withouth the User ID Agent but there is no mapping between the IP address and the User in our LAN.

 

Without User ID Agent

"Enable User Identification" is activated on the LAN Zone of the firewall

The AD server is configured as a Server

admin@firewall(active)> show user server-monitor state all


UDP Syslog Listener Service is disabled
SSL Syslog Listener Service is disabled

Server: adserver.test.domain.com(vsys: vsys1)
Host: adserver.test.domain.com
num of log query made : 58692
num of log query failed : 9
num of log read : 6911
last record timestamp : 1467785964
last record time : 20160706061924.113696-000

 

No network is included/excluded

Client Probing is enabled too

 

With User ID Agent

Configured in nearly the same way, no real error on the logfile of the Agent

07/05/16 14:42:27:213[ Info 1935]: ------------Service is being started------------
07/05/16 14:42:27:213[ Info 1942]: Os version is 6.2.0.
07/05/16 14:42:27:228[Error 568]: Cannot read debug log level with error 2(The system cannot find the file specified.
)
07/05/16 14:42:27:228[ Info 571]: Load debug log level Debug.
07/05/16 14:42:27:228[ Info 527]: Service version is 7.0.4.5.
07/05/16 14:42:27:228[ Info 574]: Product version is 7.0.4-5.
07/05/16 14:42:27:228[ Info 1015]: Found 0 ACL config. 0 processed.
07/05/16 14:42:27:228[ Info 1043]: Found 0 VM info source config. 0 processed.
07/05/16 14:42:27:228[ Info 1051]: Found 0 Syslog Profile(s) config.
07/05/16 14:42:27:228[ Info 1103]: Found 2 server config.
07/05/16 14:42:27:228[ Info 1138]: Found 0 include-exclude networks. 0 processed.
07/05/16 14:42:27:228[ Info 1163]: Found 0 custom log format config.
07/05/16 14:42:27:228[ Info 175]: Load 8 build-in formats and 0 custom formats for parsing security log.
07/05/16 14:42:27:228[Debug 322]: pool(probing): create worker thread 11768
07/05/16 14:42:27:228[Debug 322]: pool(probing): create worker thread 10404
07/05/16 14:42:27:228[Debug 322]: pool(probing): create worker thread 8916
07/05/16 14:42:27:228[Debug 322]: pool(probing): create worker thread 14108
07/05/16 14:42:27:228[ Info 1142]: Loaded 0 AD ip user mappings from file took 0 seconds
07/05/16 14:42:27:228[ Info 318]: DC security log and session query threads for server adserver.test.domain.com(index 0) are started.
07/05/16 14:42:27:228[ Info 318]: DC security log and session query threads for server adserver2.test.domain.com(index 1) are started.
07/05/16 14:42:27:228[ Info 624]: Active Direcotry gets started.
07/05/16 14:42:27:228[ Info 652]: User-ID VM monitor service started.
07/05/16 14:42:27:228[Debug 355]: Event: type="server status" name="10.xxx.xxx.xxx" status="Connecting"
07/05/16 14:42:27:228[Debug 355]: Event: type="server status" name="10.xxx.xxx.xxx" status="Connecting"
07/05/16 14:42:27:228[Debug 355]: Event: type="server status" name="10.xxx.xxx.xxx" status="Connected"
07/05/16 14:42:27:228[ Info 1416]: Connect succeeds on DC adserver.test.domain.com.
07/05/16 14:42:27:244[Debug 220]: Read security log succeed for DC adserver.test.domain.com.
07/05/16 14:42:27:244[Debug 355]: Event: type="server status" name="10.xxx.xxx.xxx" status="Connected"
07/05/16 14:42:27:244[ Info 1416]: Connect succeeds on DC adserver2.test.domain.com.
07/05/16 14:42:27:307[Debug 220]: Read security log succeed for DC adserver2.test.domain.com.
07/05/16 14:42:27:400[Debug 694]: Service started.
07/05/16 14:42:27:400[Debug 355]: Event: type="service status" status="started"
07/05/16 14:42:27:400[Debug 996]: Device listening thread started.
07/05/16 14:42:27:791[ Info 869]: New connection 127.0.0.1 : 65418.
07/05/16 14:42:27:791[Debug 911]: DevLink: Changed the default rx buffer size to 0x100000 for 127.0.0.1, port 65418
07/05/16 14:42:27:791[Debug 921]: DevLink: Changed the default tx buffer size to 0x100000 for 127.0.0.1, port 65418
07/05/16 14:42:27:791[ Info 942]: Device thread 0 with 127.0.0.1 : 65418 is started.
07/05/16 14:42:27:791[ Info 3254]: Device thread 0 accept finished
07/05/16 14:42:27:791[Debug 3302]: Device thread 0 SSL no certificate
07/05/16 14:42:27:791[Debug 2025]: Device thread 0 added job 1 for get-all
07/05/16 14:42:27:791[Debug 1493]: Device thread 0 send device status 127.0.0.1 : 65418 Connected
07/05/16 14:42:27:791[Debug 1950]: Device thread 0 proc get-all on thread 13740 job 1
07/05/16 14:42:27:791[ Info 755]: AD Get-all started for device thread 0 from 127.0.0.1
07/05/16 14:42:27:791[ Info 821]: AD Get-all returned 0 AD entries for device thread 0
07/05/16 14:42:28:057[Debug 1529]: Device thread 0 send server status adserver.test.domain.com(10.141.0.65) Connected
07/05/16 14:42:28:275[Debug 1529]: Device thread 0 send server status adserver2.test.domain.com(10.133.0.3) Connected
07/05/16 14:42:28:525[Debug 1529]: Device thread 0 send server status adserver.test.domain.com(10.141.0.65) Connected
07/05/16 14:42:28:729[Debug 1529]: Device thread 0 send server status adserver2.test.domain.com(10.133.0.3) Connected
07/05/16 14:42:29:494[Debug 284]: Reading 51200 security logs takes 2265 ms for DC adserver.test.domain.com.
07/05/16 14:42:38:446[Debug 284]: Reading 34214 security logs takes 11203 ms for DC adserver2.test.domain.com.

 

But I can not see any User to IP Mapping on the Agent.

From my perspective the wmi-auth-user has the right permissions to read the security logfile of the AD Server.

 

Do you have any Idea how to proceed?

 

Thanks,

Stephan


Accepted Solutions
Highlighted
L7 Applicator

make sure you enable 'success' audits from the local security policy, these are disabled by default so will not log succesfull logins

 

 

 

2016-07-11_17-07-07.jpg

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374

View solution in original post


All Replies
Highlighted
L6 Presenter

Hi...The agent's log shows that the agent is reading the security log of adserver.test.domain.com and dserver2.test.domain.com so the access permission is ok.  Can you query the security logs on the DCs to see if the DCs are set up to log logon events IDs 4624, 4768, 4769, 4770, 540, 672, 673, 674?  The agent is looking for these events.

Highlighted
L2 Linker

Hi,

 

thanks for your reply. I only see Event IDs 4769 - but only 5 of them within 24 hours.

The content of the Event is not really useful from my perspective because I can see the Client Address but the User ID = NULL SID.

Does that mean that the source of the issue is related to the AD Server?

 

 

 

Highlighted
L6 Presenter

I would recommend checking out the 2 DCs and understand why there were only 5 event ID 4769.  Maybe you can test by logging off windows and logging back in to generate a login event.  Verify that your login event is picked up by 1 of the 2 DCs.   

 

Do you have other DCs on the network that users may be loggin into but not monitored by the userID agent?

Highlighted
L2 Linker

It's a little bit complicated with logging off windows because both of them are productive :-)

I will create a clone of one of the DCs for further investigation and keep you up to date.

Highlighted
L6 Presenter

I meant to logoff from your PC & logon again from your PC, not logging off the DC servers.  Basically we want to simulate a user logging into your AD domain and one of your DC should record the logon event.  If the DC record the event, then the agent should pick up that user-IP mapping.

Highlighted
L2 Linker

Looks like something is wrong with the DC servers.

None of these Login events are created when I log into the AD domain but a few (from my perspective related) error messages. I will try to solve them and update this discussion afterwards.

Highlighted
L7 Applicator

make sure you enable 'success' audits from the local security policy, these are disabled by default so will not log succesfull logins

 

 

 

2016-07-11_17-07-07.jpg

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374

View solution in original post

Highlighted
L2 Linker

The error messages I saw are already solved but they were related to 802.1x authentication, not to my problem =/...however, thanks for the hint with the domain security policy, that was the final solution.

 

Thanks to both of you :)

Highlighted
L3 Networker

make sure you enable 'success' audits from the local security policy, these are disabled by default so will not log succesfull logins

 

Where would i find that setting?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!