User-ID rule to bypass HIP check not matching.

Reply
Highlighted
L1 Bithead

User-ID rule to bypass HIP check not matching.

Hi all,

 

I have a rule to allow certain Global Protect users DNS and RDP traffic by matching the user-id. However, even though it looks like the traffic should match when I view the traffic log it's not?! For some users the rule works fine but others it doesn't match and I can't work it out.

 

Any help would be greatly appreciated

 

Kevin.

Highlighted
Cyber Elite

@adrianflux,

Would really need to look at the logs to figure this out. You've verified that the user-id is recorded in the denied traffic logs and the rulebase entry properly passes when you do a test security-policy-match? Can you give us an output of the security entry and an example of one of the logs that isn't currently working? 

Highlighted
L3 Networker

Hi ,

 

Check the user-id how is formatted in the logs like :  domain\bob

Then check the traffic logs that you interested and check there the user , it should be something else and that is the reason why 

Then check the security policy to see if you have domain\bob like the user ID .

The HIP collection is taking the username and domain. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!