User-ID Service - Client IP Population

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-ID Service - Client IP Population

L4 Transporter

All,

 

When we first installed our User-ID Agent service on Windows Server 4-5 years ago we implemented Security Log Reading (from domain controllers logs), AD Session Scanning, and MWI polling.  About 5-6 days ago we started running into issues (which we have yet to determine what is causing it), where polling seems to be openeing up multiple connections at a time causing our WAN optimizer to start trying to optimize 10x connections than normal.  After delving into the latest best practices, it seems that Session Scanning and MWI polling are no longer recommended, and just reading the AD logs and Syslogs are the best way to go.

 

Question:  If I just enable reading the windows logs from the domain controllers, should it be populating the User-ID agent with IP addresses of users?  When I turn off session scanning and WMI probing, the IP list is empty.  As I've always used all three options, I'm not sure if what is "normal" and I can't find any supporting documentation that explains one way or the other.

 

Sincerely,

 

-Matt

5 REPLIES 5

Cyber Elite
Cyber Elite

Hi @mlinsemier

 

yes, log reading is the main way to populate user-ip mappings

 

Logs contain a username + ip which are learned when a user logs on

 

WMI probes are used on 'known' ip-user maps to verify if the user is still logged on, or, for 'unknown' ips to probe if a user can be learned (this happens when the firewall gets a connection from an unmapped IP in the user-id enabled zones, it will request the user-id agent for informnation on the IP and if the agent does not already have a mapping it will try a probe)

 

'server session reads' are used to detect users with mapped network drives (whenever the drive is touched, the user source + credentials can be refreshed/learned)

 

so, since your WAN optimizer went into overdrive, and after disabling probing your ip's aren't populating, your log reading may have gotten disabled somehow, causing you to start probing every single IP rather than learning ip's from the log and only periodically probing

 

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper


Thanks for the reply on this.  So i started completley from scratch on my configuration in attempts to more easily troubleshoot.  Without any networks in the include list, I get no IP addresses in the Monitoring Tab under discovered users.  When I add an office IP range to the Discovery, i start seeing logs such as these.  

 

IP x.x.x.x is not in the include list

IP x.x.x.x is not in the include list

IP x.x.x.x is not in the include list

IP x.x.x.x is not in the include list

IP x.x.x.x is not in the include list

IP x.x.x.x is not in the include list

 

When I add one of these networks which I know has users on it, the error in debug goes away, but the Monitor still shows 0 IPs.

 

image.png

 

It's almost like it is seeing the IP's from the domain controllers as it writes them in the log, but then is not saving them.  This is why I was asking about normal operation with just log reading on as I was thinking perhaps monitoring only was for addresses that were also polled. Completely confused here.

 

-Matt

The IPs under the x.x.x.x, are they in your expected subnet? It could be that the firewall is polling your agent for "unknown" IPs and that's whats causing these logs (without filter you should get _all_ ips from log)

Just as a sanity check, can you go through the windows event viewer to see if you can find any EventID 4768 (Authentication Ticket Granted), 4769 (Service Ticket Granted), 4770 (Ticket Granted Renewed), or 4624 (Logon Success) logs?
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Okay, that makes sense because I paired down the "Allowed IPs" that the remote Palo Alto's are looking for IP to User Mappings.

 

For the audit events, are you speaking of the Event Viewer on the domain controller itself?

Yes, the server that the userID agent is polling should have at least one of these events in the eventviewer
If they dont show up, you'll want to go into your local security policy and enable auditing for "logon success"
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 3886 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!