08-26-2019 10:46 AM
I'm using the PA's integrated User-ID Agent to setup User-ID. The moment I began monitoring DC controllers it begain to pull User-ID mappings. This is before User-ID was configured on any zone. However, when I configured User-ID on a source zone, the firewall doesn't getting any user mappings from that source zone. Select IP addresses (approx. 5) will periodically show a mapping of "unknown" however it appears it's not getting a response from the other source IP addresses ( approx. 200) in that zone.
Any ideas on what could cause this?
08-27-2019 07:37 AM
Hey @S.Cantwell
I was in a rush and just providing limited information, but I went through the User-ID documentation completely when configuring User-ID, and I've configured User-ID successfully many times before. It was strange that I was getting limited reponses so I unconfigred all lthe setting, cleared the mappings. Then as I configured each piece, I monitored the mappings of the agent to try and dissect where the limited mapping were coming from. From that, I noticed that it began to populate prior to User-ID being enabled no the source zone.
I did some troubleshooting with my AD admin and found out that the AD servers do not log successful Logon events. I'm sure this plays a part in why logon from my source zone aren't being mapped by the agent, but doesn't quite explain withthe other mappings are there.
08-26-2019 01:12 PM
I would recommend that you take a look at the following section in the Admin guide for enabling UserID properly
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id.html#
Essentially, it gets broken down into 3 parts.
1) Get LDAP/Group Mappings configured on FW.
Create LDAP Server Profile
User-ID Group Mapping Settings.
2) Users log into DC/Exchange server(s) like they normally do.
3) User ID on the source Zone enabled
So, the 200 or so computers need to be (generally) Windows machines, on the domain, autheticating to the domain.
When users authenticate, server log entry is created, with username/IP associated.
UserID aget, monitoring the DC, will extract user/IP info and show logs in FW (not in security policy)
Again, take a look at the UserID docs, and let us know how we can assist further.
08-26-2019 02:09 PM
Hello,
Also check the User Identification Timeout (min) setting. By default its something small like 45 mins. We had to bump ours to 720 mins to keep the users from dropping off during business hours since they might only authenticate in once. Another thing is if you use Exchange and everyone has Outlook, you can monitor the exchange logs and the chance of a use dropping off is slim since Outlook is always authenticating against exchange.
Regards,
08-27-2019 07:37 AM
Hey @S.Cantwell
I was in a rush and just providing limited information, but I went through the User-ID documentation completely when configuring User-ID, and I've configured User-ID successfully many times before. It was strange that I was getting limited reponses so I unconfigred all lthe setting, cleared the mappings. Then as I configured each piece, I monitored the mappings of the agent to try and dissect where the limited mapping were coming from. From that, I noticed that it began to populate prior to User-ID being enabled no the source zone.
I did some troubleshooting with my AD admin and found out that the AD servers do not log successful Logon events. I'm sure this plays a part in why logon from my source zone aren't being mapped by the agent, but doesn't quite explain withthe other mappings are there.
08-27-2019 07:55 AM
My hesitancy with extening user timeout has always been tied to dhcp timeout, and what would happen it if one user dropped of the network and another picked up their IP address. Then they'd potentiall have access (based on policy) to things they shouldn't. Or not have access to things they should.
I like the idea of using Exchange. So would I just configure the FQDN of the Exchange servers in the Server Monitoring tab?
Also a note from my other repsponse: I did some troubleshooting with my AD admin and found out that the AD servers do not log successful Logon events. I'm sure this plays a part in why logon from my source zone aren't being mapped by the agent, but doesn't quite explain withthe other mappings are there.
Would that be a factor, if they same is true for the Exchange Server?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
