This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

User identification (AD)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User identification (AD)

FabioGarcia
L3 Networker

‎12-18-2012 08:11 AM

Dears,

We have PA2020 implemented (w/ HA) and sometimes the user identification doesn't work well.

In the picture below we can see the following scenario

ScreenShot340.jpg

1st line - PA2020 doesn’t relates my IP w/ my user and I got blocked accessing youtube.com (rule “Block R Sociais, Videos, Audio”)

2nd line - PA2020 doesn’t relates my IP w/ my user so I could only access because of last “Allow All” (rule Permite Tudo)

3rd line - PA2020 doesn’t relates my IP w/ my user so I could only access because of last “Allow All” (rule Permite Tudo)

4th line - PA2020 recognizes my IP and relates with my user “Fabio.garcia” then I could access thru rule “Permit - Grupo TI”

Those events happend in a very short time slot... around 40 seconds....

Why PA sometimes regnizes my user, sometimes it doesnt ?

I am using 60 seconds for the update interval to identify users with my agent (AD)

ScreenShot342.jpg

Thanks in advance!!

0 Likes Likes
15 REPLIES 15

rrandall
L0 Member

‎12-18-2012 09:41 AM

Your timeout of 60 seconds seems really short.  This may not be enough time to read all of the users in your AD structure.  Try setting this to at least an hour and see if the problem resolves itself.

FabioGarcia
L3 Networker
In response to rrandall

‎12-27-2012 05:11 AM

Hello, I did the change but I am still facing the problem...

Right now I am being blocked because PA cannot recognize my AD user (which is part of an allowed group)

The image below shows PA identifying my user and soon after that... I was not recognized...

I got blocked, then allowed... then blocked...

I was wondering, if the problem is related to PA reads the AD user list, PA should be able or not ... but that behavior doesnt follow a pattern... I mean... in a very short time window, I was recognized, then not recognized...

That looks like for some packets PA can recognize my AD user, but another packets PA cant do that... is that make any sense ?

Logs

ScreenShot349.jpg

Please check the 2 lines at the bottom... it was 2 seconds time window.... and 2 different behaviors....

Thanks in advance!!

0 Likes Likes

FabioGarcia
L3 Networker

‎12-28-2012 04:34 AM

Guys, look the screen shot below...

Right now, this IP address below should be blocked, but as my PA cannot resolve that IP to the user... he can access internet easily ...

I would like to thank you guys for all help I am receiving... but to be honest that has been very frustrating specially to our directors that spent a lot of money with this tool and that is not working... even PA support cant help me with this problem...

Anyway, thanks again all help you guys are giving me these last weeks!!

ScreenShot352.jpg

0 Likes Likes

gwesson
L7 Applicator
In response to FabioGarcia

‎12-28-2012 09:37 AM

Hi Fabio,

There were several User-ID and group mapping issues fixed in 4.1.9 and 4.1.10, are you on those versions or something older? In some cases, group mappings were being eliminated when making changes on the firewall or on the AD server, in others there is a timer being used to poll group changes.

Some commands you can issue in the CLI that can help pin down the issue when you are experiencing it:

> show user group-mapping state all

> show user group list

> show user user-IDs

> show user ip-user-mapping detail yes

Those commands can give you a list of your user IDs and the group mappings associated with them. You also may want to check to see the timeout and logs on your User-ID Agent. Make sure that User-ID is able to read the security logs on your DC. If it cannot, and it uses WMI or NetBIOS probing, sometimes those can be unreliable.

You also indicated that 193.242.41.103 can access the web. The "ALLOW WEB TRAFFIC" rule is letting it through. Check that rule, you will probably find that it is allowing outbound traffic without checking for user names.

Lastly, you mentioned that support could not help with the problem. If you have an active support contract I would encourage you to open a ticket. It sounds like this would be worth investigating if you are on a recent release.

Best,

Greg Wesson

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks