04-15-2020 04:36 AM
Hi All,
As the title suggest, I'm not getting any local user-ip mappings from our Active Directory Domain Controllers.
if I do a "show user server-monitor state all" on the cli I can see the output below (I've removed the domain controller hostname and IP for anonymity)
num of log query made : 304
num of log query failed : 0
num of log read : 0
last record timestamp : 0
last record time :
num of log query made : 314
num of log query failed : 0
num of log read : 0
last record timestamp : 0
last record time :
num of log query made : 302
num of log query failed : 0
num of log read : 0
last record timestamp : 0
last record time :
num of log query made : 313
num of log query failed : 0
num of log read : 0
last record timestamp : 0
last record time :
Last error: Connection refused
num of log query made : 3314
num of log query failed : 3314
num of log read : 0
last record timestamp : 0
last record time :
one controller has an issue (bottom) but the others, all have a log read of 0? stats are low too, likely as I ran the reset command to reconnected to the DCs.
The firewall reports those DCs are "Connected", bottom isn't although that's another issue.
is this going to be a permissions issue with the service account used for the server monitor?
I've checked its in the right AD groups, Distributed COM Users, Event Log Readers, Domain Users and Server Operators.
any other areas I have missed?
Thanks
Ian
04-16-2020 03:22 AM
Hi @IanBroadway ,
Are you using agentless or UID-agent for your ip-user-mapping ?
What information did you see in your logs ?
-Kiwi.
04-16-2020 03:44 AM - edited 04-16-2020 03:45 AM
Agentless, nothing obvious in firewall logs.
I don't have access to the DCs to check those. I have since raised this with our support vendor now to escalate.
They have taken the outputs mentioned in this post along with a techsupport dump from the firewall itself.
04-16-2020 05:26 AM
You'll need to enable auditing of "logon success" in the "local security policies" of the AD
These are disabled by default
04-16-2020 05:37 AM
I'll ask them to check this also.
thing is though, this has been working for a good few weeks, its randomly stopped.
04-16-2020 06:33 AM
is there a knowledge base for this step?
You'll need to enable auditing of "logon success" in the "local security policies" of the AD
its not part of the implementation guide?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
