04-11-2014 04:38 AM
Hi,
I've recently seen this a couple of times on completely separate firewalls / AD infrastructures (a 2050 cluster and a 3020 cluster, both running 5.0.8). User ID is setup and working fine along with LDAP group mapping
However on the odd occasion users report applications or URL categories blocked that should be allowed. It often "goes away" again soon.
I spotted in the URL and Traffic logs, the user is (for short periods) identified just as USERNAME, rather than DOMAIN\USERNAME...
This of course does not match rules with usernames specified in them.
Any ideas why it may drop the domain name occasionally?
Thanks
Dave
04-11-2014 10:52 AM
Dave,
This could be a known issue. Fixed 5.0.7, bug id 52383.
PAN-OS 5.0.7: Addressed Issues
5.0.7 has software buffer issues and hence upgrade to this version is not recommended, 5.0.10 is a stable version comparatively.
HTH
Deepak
04-12-2014 03:37 PM
Do you know if those PCs from where the usernames appear without the domain are perhaps running some sort of service in the background that is only associated with the username (and is missing the domain). Do you see logon event on the AD / DC security events with just the username? What is the user-ip-mapping on the UserID agent when you see the logs on the firewall show only the username?
04-16-2014 03:32 AM
Thanks for that... I might be reading it wrong but doesn't it say that was addresses/fixed in 5.0.7 ?
Unless it wasn't rolled into 5.0.8 for some reason...
Does look very similar though. I'll give a later build of 5.0.x a whirl today and see what happens!
04-16-2014 03:46 AM
Found this..
53258—Authenticating access to a file share folder hosted outside of the Active Directory domain was causing the firewall to change the User-IP Mapping to the username and password used to authenticate to the file share folder hosted outside of the Active Directory domain, instead of the Active Directory username and password.
Resolved in 5.0.11
So I'll be giving that a try!
04-16-2014 08:40 AM
The fix in 5.0.7 is good for the succeeding maintenance release too, my recommendation of not moving to 5.0.7 is due to a software pool depletion issue that you might run into 5.0.7.
HTH
05-21-2014 09:11 PM
Is this a multi domain environment and do you have server session read enabled?
For multiple domain environments the data gathered from open sessions may not be accurate. This method does not deliver domain data with the user name and it is assumed that the user is a member of the domain that the monitored server is part of.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
