User-ID Policy not being used

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User-ID Policy not being used

L2 Linker

We have an agentless User-ID setup. Firewall is able to pull user accounts from the AD.

User-ID based policies were created on top of IP-Based policies.

 

However, some user traffic can be seen using the user-id based policies, some users can be seen using the IP-based policies.

This happens on all of my sites.

 

Is this a normal behavior? Or is there something wrong on my setup. 

6 REPLIES 6

Cyber Elite
Cyber Elite

Hello,

Here are a few things to check out. 

 

Check your timeout settings

Device tab -> User Identification -> User Mapping -> User Identification Timeout

I have mine set to 720 minutes but the default is 45 minutes.

 

Check the zone settings to make sure they are set to use User-ID

Network tab -> Zones 

Make sure the user-id boxes are checked on the zones you wish to monitor. Also if you are using subnets to specific 'Included Networks' make sure the subnets you need to monitor are listed.

 

Hope this helps.

L7 Applicator

not sure if I'm reading your post correctly but...

 

just because you have a user policy it does not mean that they can only use that policy. if the user IP address matches your IP policy then you will see traffic with the users name using that policy...

 

that sounds confusing... sorry.

Cyber Elite
Cyber Elite

I'm reading your explanation the same way as @Mick_Ball I think

 

User mapping and IP addresses are not mutually exclusive but rather an added layer of identification as your IP's may be shared between different departments and some things should only be limited based on the IP address a connection is coming from (the intranet), and some things need to be limited based on the user-ID or group membership (HR salary system, IT database, ...)

 

so rules created with only an IP will match any IP that matches the subnet, any policy created with a username or group will require UserID to have positively identified the user before the rule can be matched

 

Here's an article that could be helpful: https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-User-ID/ta-p/69321

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi Otakar.Klier, thanks for replying. I'm already using those settings except for the User Identification Timeout. I'm still using the default of 45 minutes.

Hi Mickball, thanks for replying. I get your point.

I have a user policy on top of my IP policy.

For example
Policy #1 User policy has hq\netengr1 and hq\netengr2 as source user, any as source IP
Policy #2 IP policy has 192.168.1.0/24 source IP and any source user.

hq\netengr1 uses the correct policy (policy 1). However hq\netengr2 traffic falls to policy #2, even if he's logged in using the correct account. That's my problem, any tips on where to check?

@theonewhoknocks, thanks for the confirmation...

 

OK so im going to assume all users are allowed out via Policy2.

 

does netengr2 ever go out via policy1 or is it just some of his traffic...

does netengr1 ever go out via policy2...

are netengr1 & 2 going to the same sites... perhaps this could be worth testing.

 

do you have any other explicit rules in Policy1, such as application,service, profiles etc that could be affecting netengr2.

 

is policy 2 exactly the same as policy1 apart from the source user....

 

I would add a test policy between 1 & 2, source user netmngr2 any any any any any DENY and log session start.

 if he is still allowed via any any 192.168.1.0/24 policy then you know its the user-id. we can look into this once confirmed...

 

if he still

 

 

 

 

 

  • 3891 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!