For details on cookie usage on our site, read our Privacy Policy
User-ID two usernames being identified by User-ID servers
- LIVEcommunity
- Discussions
- General Topics
- User-ID two usernames being identified by User-ID servers
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
User-ID two usernames being identified by User-ID servers
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-25-2020 09:32 PM
Hi,
I am having troubles with getting the Palo's in my network to only use the UPN of a user in our environment. I would like to start creating security policies to control staff members access to resources based on their AD user rather than IP address and then further to that leverage groups. Long term of course the idea is to leverage AD groups to control access to resources, however I need to prove that this will work on individual users first.
It is not working currently because what I am seeing in the monitor logs is either domain\user.name or user.name@domain.local and because of this whenever I make a security policy sometimes it works for the end user and then the next moment it doesn't work. It will work 100% of the time if I update the policy to domain\user.name and user.name@domain.local . This of course is not practical and scalable.
Currently we are using 2 Palo Alto Windows Server Agents to get the access data from our AD servers. Palo Alto monitor logs are reporting back connected and the User-ID log shows the source as being either of these servers.
Here is some screenshots of our current configuration for the user & group mapping.
Are there additional settings, or things I need to be doing to resolve this and either only match on domain\user.name or user.name@domain.local
Thanks.
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-25-2020 11:17 PM
if you want everything to be UPN, you'll need to set userPrincipalName in the User Object Search Filter, and in the primary Username, or set sAMAccountName in both
PANgurus - (co)managed services and consultancy
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-26-2020 03:46 PM
@reaper - Thanks for your assistance here. I have updated the settings to match this but I am still seeing the duplicate username in the monitor traffic log and user-id log. Is this still expected? If this is expected and normal, I will do some policy testing just using the UPN.
Thanks.
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-29-2020 07:05 PM
Just wondering if this document would help.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpsCAC
Kavi
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-01-2020 07:58 PM
@kgopichand- Thanks for sharing this post but I have already followed this guide and it sadly did not fix the issue.
Thanks,
- Cortex XDR PoC Lab ft. CVE-2021-3560 in Cortex XDR Discussions
- Azure PA HA DNS in VM-Series in the Public Cloud
- Captive Portal Turned on but redirect Pages don't respond in General Topics
- server hello message dropped at firewall in General Topics
- Azure VM cannot access the Internet in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
