For details on cookie usage on our site, read our Privacy Policy
User-ID - one user occasionally not hitting the user based policy
- LIVEcommunity
- Discussions
- General Topics
- Re: User-ID - one user occasionally not hitting the user based policy
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
User-ID - one user occasionally not hitting the user based policy
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-07-2018 05:57 AM - edited 08-08-2018 05:33 AM
PAN-OS 8.1.2, User-ID configured with Windows AD single domain. There are security rules built, based on users/user groups. It is mostly working as intended, but specifically there's [at least] one user that has a different behavior - some user-based (not group) rules are occasionally missing, even through they did hit the policy a few moments ago. Same traffic, same packet fields - IPs/ports, etc., but suddenly it goes through Deny, instead of hitting the Permit policy. At the same time same rules works fine for a different user. After a moment, it may start hitting the proper rule again.
When checking via CLI, faulty user is registered properly- there is user-ip mapping, user-group mapping, etc.
If creating additional rule, based on IP only, without username used - it hits that rule if it is missing the user-based rule, so there should an issue with User-ID, but not widely seen as there are a bunch of user/group rules used and they are working fine. Issue have been noticed with one specific user, but it is no different than any other user seen around.
useridd.log shows such an message, where <domain> - proper domain and <username> - username for the tricky user:
Warning: pan_user_group_user_prime_uid_lookup(pan_user_group_multi_attr.c:1306): For <domain>\<username> user, domain <domain> does not exist in group-mapping
I've tried resetting, clearing, refreshing, etc., but that didn't help.
Don't want to overwhelm with configuration, but maybe spew some ideas where to look?
Thanks!
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-26-2021 05:51 AM
yeah, basically the same issue as @nikoo described above. We have about 10 users (out of 300+) that randomly get denied internet access for 5 to 15 minutes because none of policies catch them and they get the default policy. The useridd.log says that the user doesn't belong to any AD groups during these times.
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-26-2021 05:59 AM
check the User-IP mapping to see if it is againg-out correctly, if not check your User-ID Sources and change the time-out accordingly if needed.
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-26-2021 11:40 PM
@rlambright, at my specific case it was noted as a bug and fix was provided. General issue was with mixing UPN and SAM type of usernames in the policies. PAN-153614, fixed in 9.1.8 & 10.0.5.
> Configure one specific user-attribute in all the security policies"
- IKE phase 1 not working in General Topics
- Traffic stops hitting when one of two FQDN objects in policy not resolvable in General Topics
- Global Protect Gateway on PA500-VM in GCP in GlobalProtect Discussions
- App-ID Override Policy Matching in Next-Generation Firewall Discussions
- Prisma Access : CLI or SSH Access in Prisma Cloud Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
