06-04-2018 06:25 PM
All,
When we first installed our User-ID Agent service on Windows Server 4-5 years ago we implemented Security Log Reading (from domain controllers logs), AD Session Scanning, and MWI polling. About 5-6 days ago we started running into issues (which we have yet to determine what is causing it), where polling seems to be openeing up multiple connections at a time causing our WAN optimizer to start trying to optimize 10x connections than normal. After delving into the latest best practices, it seems that Session Scanning and MWI polling are no longer recommended, and just reading the AD logs and Syslogs are the best way to go.
Question: If I just enable reading the windows logs from the domain controllers, should it be populating the User-ID agent with IP addresses of users? When I turn off session scanning and WMI probing, the IP list is empty. As I've always used all three options, I'm not sure if what is "normal" and I can't find any supporting documentation that explains one way or the other.
Sincerely,
-Matt
06-05-2018 01:00 AM
Hi @mlinsemier
yes, log reading is the main way to populate user-ip mappings
Logs contain a username + ip which are learned when a user logs on
WMI probes are used on 'known' ip-user maps to verify if the user is still logged on, or, for 'unknown' ips to probe if a user can be learned (this happens when the firewall gets a connection from an unmapped IP in the user-id enabled zones, it will request the user-id agent for informnation on the IP and if the agent does not already have a mapping it will try a probe)
'server session reads' are used to detect users with mapped network drives (whenever the drive is touched, the user source + credentials can be refreshed/learned)
so, since your WAN optimizer went into overdrive, and after disabling probing your ip's aren't populating, your log reading may have gotten disabled somehow, causing you to start probing every single IP rather than learning ip's from the log and only periodically probing
06-05-2018 10:06 AM - edited 06-05-2018 10:13 AM
Thanks for the reply on this. So i started completley from scratch on my configuration in attempts to more easily troubleshoot. Without any networks in the include list, I get no IP addresses in the Monitoring Tab under discovered users. When I add an office IP range to the Discovery, i start seeing logs such as these.
IP x.x.x.x is not in the include list
IP x.x.x.x is not in the include list
IP x.x.x.x is not in the include list
IP x.x.x.x is not in the include list
IP x.x.x.x is not in the include list
IP x.x.x.x is not in the include list
When I add one of these networks which I know has users on it, the error in debug goes away, but the Monitor still shows 0 IPs.
It's almost like it is seeing the IP's from the domain controllers as it writes them in the log, but then is not saving them. This is why I was asking about normal operation with just log reading on as I was thinking perhaps monitoring only was for addresses that were also polled. Completely confused here.
-Matt
06-05-2018 11:18 AM
06-05-2018 11:44 AM
Okay, that makes sense because I paired down the "Allowed IPs" that the remote Palo Alto's are looking for IP to User Mappings.
For the audit events, are you speaking of the Event Viewer on the domain controller itself?
06-05-2018 11:51 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
