12-18-2012 08:11 AM
We have PA2020 implemented (w/ HA) and sometimes the user identification doesn't work well.
In the picture below we can see the following scenario
1st line - PA2020 doesn’t relates my IP w/ my user and I got blocked accessing youtube.com (rule “Block R Sociais, Videos, Audio”)
2nd line - PA2020 doesn’t relates my IP w/ my user so I could only access because of last “Allow All” (rule Permite Tudo)
3rd line - PA2020 doesn’t relates my IP w/ my user so I could only access because of last “Allow All” (rule Permite Tudo)
4th line - PA2020 recognizes my IP and relates with my user “Fabio.garcia” then I could access thru rule “Permit - Grupo TI”
Those events happend in a very short time slot... around 40 seconds....
Why PA sometimes regnizes my user, sometimes it doesnt ?
I am using 60 seconds for the update interval to identify users with my agent (AD)
Thanks in advance!!
12-18-2012 09:41 AM
Your timeout of 60 seconds seems really short. This may not be enough time to read all of the users in your AD structure. Try setting this to at least an hour and see if the problem resolves itself.
12-27-2012 05:11 AM
Hello, I did the change but I am still facing the problem...
Right now I am being blocked because PA cannot recognize my AD user (which is part of an allowed group)
The image below shows PA identifying my user and soon after that... I was not recognized...
I got blocked, then allowed... then blocked...
I was wondering, if the problem is related to PA reads the AD user list, PA should be able or not ... but that behavior doesnt follow a pattern... I mean... in a very short time window, I was recognized, then not recognized...
That looks like for some packets PA can recognize my AD user, but another packets PA cant do that... is that make any sense ?
Please check the 2 lines at the bottom... it was 2 seconds time window.... and 2 different behaviors....
Thanks in advance!!
12-28-2012 04:34 AM
Guys, look the screen shot below...
Right now, this IP address below should be blocked, but as my PA cannot resolve that IP to the user... he can access internet easily ...
I would like to thank you guys for all help I am receiving... but to be honest that has been very frustrating specially to our directors that spent a lot of money with this tool and that is not working... even PA support cant help me with this problem...
Anyway, thanks again all help you guys are giving me these last weeks!!
12-28-2012 09:37 AM
There were several User-ID and group mapping issues fixed in 4.1.9 and 4.1.10, are you on those versions or something older? In some cases, group mappings were being eliminated when making changes on the firewall or on the AD server, in others there is a timer being used to poll group changes.
Some commands you can issue in the CLI that can help pin down the issue when you are experiencing it:
> show user group-mapping state all
> show user group list
> show user user-IDs
> show user ip-user-mapping detail yes
Those commands can give you a list of your user IDs and the group mappings associated with them. You also may want to check to see the timeout and logs on your User-ID Agent. Make sure that User-ID is able to read the security logs on your DC. If it cannot, and it uses WMI or NetBIOS probing, sometimes those can be unreliable.
You also indicated that 126.96.36.199 can access the web. The "ALLOW WEB TRAFFIC" rule is letting it through. Check that rule, you will probably find that it is allowing outbound traffic without checking for user names.
Lastly, you mentioned that support could not help with the problem. If you have an active support contract I would encourage you to open a ticket. It sounds like this would be worth investigating if you are on a recent release.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!