This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

User-ID - one user occasionally not hitting the user based policy

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-ID - one user occasionally not hitting the user based policy

nikoo
L3 Networker

‎08-07-2018 05:57 AM - edited ‎08-08-2018 05:33 AM

PAN-OS 8.1.2, User-ID configured with Windows AD single domain. There are security rules built, based on users/user groups. It is mostly working as intended, but specifically there's [at least] one user that has a different behavior - some user-based (not group) rules are occasionally missing, even through they did hit the policy a few moments ago. Same traffic, same packet fields - IPs/ports, etc., but suddenly it goes through Deny, instead of hitting the Permit policy. At the same time same rules works fine for a different user. After a moment, it may start hitting the proper rule again.

When checking via CLI, faulty user is registered properly- there is user-ip mapping, user-group mapping, etc. 

If creating additional rule, based on IP only, without username used - it hits that rule if it is missing the user-based rule, so there should an issue with User-ID, but not widely seen as there are a bunch of user/group rules used and they are working fine. Issue have been noticed with one specific user, but it is no different than any other user seen around.

useridd.log shows such an message, where <domain> - proper domain and <username> - username for the tricky user:

Warning:  pan_user_group_user_prime_uid_lookup(pan_user_group_multi_attr.c:1306): For <domain>\<username> user, domain <domain> does not exist in group-mapping

 

I've tried resetting, clearing, refreshing, etc., but that didn't help.

 

Don't want to overwhelm with configuration, but maybe spew some ideas where to look?

 

Thanks!

0 Likes Likes
12 REPLIES 12

MickBall
L7 Applicator
In response to nikoo

‎08-13-2018 02:21 AM

quick question,

 

when you created the rule for "IP" below the "user group" one, did you create a new rule from scratch.

 

it may be best to clone the user rule and just edit the source ip and user fields.

 

Also, (clutching at straws here). I would create a couple of cloned rules before the IP one to eliminate group membership issues...

 

1. source user = domain\username

2. source user = username

 

this may show some interesting results..

 

Or.. it may not... 

 

just to see if the user matches to one of these...

0 Likes Likes

nikoo
L3 Networker
In response to MickBall

‎08-13-2018 06:21 AM

Cloned the rule, yep. Left everything the same, but removed source user statement.

Will try poking around, yep.

0 Likes Likes

SurajN
L2 Linker

‎08-12-2021 05:34 AM

I'm also facing issue like this.

User id not fetching  in traffic logs. we created user base rule on that basis mapped ip address shows user id for same rule .but some time user is not authenticated from that user base policy rule and it is moving from next any any rule. if it is moving from any any rule that time it is not showing user-id mapping.

0 Likes Likes

rlambright
L1 Bithead

‎10-25-2021 02:33 PM

Has anyone found a solution to this issue?

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to rlambright

‎10-25-2021 04:03 PM

@rlambright,

What issue are you actually running into, can you describe your particular problem? Usually when users report an issue like this what you're running into is the user-id mapping aging out because you aren't seeing any authentication events in a timely manner so your user based entries won't match traffic anymore. 

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks