User-ID Mappings Not Showing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-ID Mappings Not Showing

L2 Linker

Hi All,

 

As the title suggest, I'm not getting any local user-ip mappings from our Active Directory Domain Controllers.

 

if I do a "show user server-monitor state all" on the cli I can see the output below (I've removed the domain controller hostname and IP for anonymity) 

 

num of log query made : 304
num of log query failed : 0
num of log read : 0
last record timestamp : 0
last record time :


num of log query made : 314
num of log query failed : 0
num of log read : 0
last record timestamp : 0
last record time :


num of log query made : 302
num of log query failed : 0
num of log read : 0
last record timestamp : 0
last record time :


num of log query made : 313
num of log query failed : 0
num of log read : 0
last record timestamp : 0
last record time :


Last error: Connection refused
num of log query made : 3314
num of log query failed : 3314
num of log read : 0
last record timestamp : 0
last record time :

 

one controller has an issue (bottom) but the others, all have a log read of 0? stats are low too, likely as I ran the reset command to reconnected to the DCs.

 

The firewall reports those DCs are "Connected", bottom isn't although that's another issue.

 

is this going to be a permissions issue with the service account used for the server monitor?

 

I've checked its in the right AD groups, Distributed COM Users, Event Log Readers, Domain Users and Server Operators.

 

any other areas I have missed?

 

Thanks

Ian

5 REPLIES 5

Community Team Member

Hi @IanBroadway ,

 

Are you using agentless or UID-agent for your ip-user-mapping ?

What information did you see in your logs ?

 

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Agentless, nothing obvious in firewall logs.

 

I don't have access to the DCs to check those. I have since raised this with our support vendor now to escalate.

 

They have taken the outputs mentioned in this post along with a techsupport dump from the firewall itself.

You'll need to enable auditing of "logon success" in the "local security policies" of the AD

These are disabled by default

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I'll ask them to check this also.

 

thing is though, this has been working for a good few weeks, its randomly stopped.

is there a knowledge base for this step?

 

You'll need to enable auditing of "logon success" in the "local security policies" of the AD

 

its not part of the implementation guide?

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0

 

  • 6432 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!