User-ID not mapping all users

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User-ID not mapping all users

L2 Linker

I'm using the PA's integrated User-ID Agent to setup User-ID. The moment I began monitoring DC controllers it begain to pull User-ID mappings. This is before User-ID was configured on any zone. However, when I configured User-ID on a source zone, the firewall doesn't getting any user mappings from that source zone. Select IP addresses (approx. 5) will periodically show a mapping of "unknown" however it appears it's not getting a response from the other source IP addresses ( approx. 200) in that zone.

 

Any ideas on what could cause this?

1 accepted solution

Accepted Solutions

Hey @S.Cantwell 

 

I was in a rush and just providing limited information, but I went through the User-ID documentation completely when configuring User-ID, and I've configured User-ID successfully many times before. It was strange that I was getting limited reponses so I unconfigred all lthe setting, cleared the mappings. Then as I configured each piece, I monitored the mappings of the agent to try and dissect where the limited mapping were coming from. From that, I noticed that it began to populate prior to User-ID being enabled no the source zone.

 

I did some troubleshooting with my AD admin and found out that the AD servers do not log successful Logon events. I'm sure this plays a part in why logon from my source zone aren't being mapped by the agent, but doesn't quite explain withthe other mappings are there. 

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

I would recommend that you take a look at the following section in the Admin guide for enabling UserID properly

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id.html#

 

Essentially, it gets broken down into 3 parts.

 

1) Get LDAP/Group Mappings configured on FW.

Create LDAP Server Profile

User-ID Group Mapping Settings.

 

2) Users log into DC/Exchange server(s) like they normally do.

 

3) User ID on the source Zone enabled

 

 

So, the 200 or so computers need to be (generally) Windows machines, on the domain, autheticating to the domain.

When users authenticate, server log entry is created, with username/IP associated.

UserID aget, monitoring the DC, will extract user/IP info and show logs in FW (not in security policy)

 

Again, take a look at the UserID docs, and let us know how we can assist further.

 

 

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Hello,

Also check the User Identification Timeout (min) setting. By default its something small like 45 mins. We had to bump ours to 720 mins to keep the users from dropping off during business hours since they might only authenticate in once. Another thing is if you use Exchange and everyone has Outlook, you can monitor the exchange logs and the chance of a use dropping off is slim since Outlook is always authenticating against exchange.

 

Regards,

Hey @S.Cantwell 

 

I was in a rush and just providing limited information, but I went through the User-ID documentation completely when configuring User-ID, and I've configured User-ID successfully many times before. It was strange that I was getting limited reponses so I unconfigred all lthe setting, cleared the mappings. Then as I configured each piece, I monitored the mappings of the agent to try and dissect where the limited mapping were coming from. From that, I noticed that it began to populate prior to User-ID being enabled no the source zone.

 

I did some troubleshooting with my AD admin and found out that the AD servers do not log successful Logon events. I'm sure this plays a part in why logon from my source zone aren't being mapped by the agent, but doesn't quite explain withthe other mappings are there. 

@OtakarKlier 

My hesitancy with extening user timeout has always been tied to dhcp timeout, and what would happen it if one user dropped of the network and another picked up their IP address. Then they'd potentiall have access (based on policy) to things they shouldn't. Or not have access to things they should.

 

I like the idea of using Exchange. So would I just configure the FQDN of the Exchange servers in the Server Monitoring tab?

 

Also a note from my other repsponse: I did some troubleshooting with my AD admin and found out that the AD servers do not log successful Logon events. I'm sure this plays a part in why logon from my source zone aren't being mapped by the agent, but doesn't quite explain withthe other mappings are there. 

Would that be a factor, if they same is true for the Exchange Server?

  • 1 accepted solution
  • 23946 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!