User identification (AD)

cancel
Showing results for 
Search instead for 
Did you mean: 

User identification (AD)

L3 Networker

Dears,

We have PA2020 implemented (w/ HA) and sometimes the user identification doesn't work well.

In the picture below we can see the following scenario

ScreenShot340.jpg

1st line - PA2020 doesn’t relates my IP w/ my user and I got blocked accessing youtube.com (rule “Block R Sociais, Videos, Audio”)

2nd line - PA2020 doesn’t relates my IP w/ my user so I could only access because of last “Allow All” (rule Permite Tudo)

3rd line - PA2020 doesn’t relates my IP w/ my user so I could only access because of last “Allow All” (rule Permite Tudo)

4th line - PA2020 recognizes my IP and relates with my user “Fabio.garcia” then I could access thru rule “Permit - Grupo TI”

Those events happend in a very short time slot... around 40 seconds....

Why PA sometimes regnizes my user, sometimes it doesnt ?

I am using 60 seconds for the update interval to identify users with my agent (AD)

ScreenShot342.jpg

Thanks in advance!!

15 REPLIES 15

Hi,

I'm having exactly the same problem with a customer.  PA-2020 standalone, PanOS 5.0.1.  Most traffic is 'tagged' correctly, sometimes it isn't.  We did not experience this issue on the previous software version, which was 4.1.6.

I implemented PAN Agent only, User-ID Agent 5.0.1-2 only, and combination of both, but the issue always remains.  I also have a quite aggressive group mapping interval, I'll try lowering it to 5 minutes, but doesn't look from your experience that that solves the issue.

I have a case open with support for this, but so far not much luck ...

Frederic

Hello,

After upgrading to version 5, are you still using agent installed in a DC ?

I hired a local consultancy and they said my problem would be related to different DCs in my environment.

I have DCs 2003 and DCs 2008. So my agent have different profiles concerning the rights to access to logs... Event log reader doesnt show up in some DCs.... etc etc..

As a temporary solution we configured agent user as domain admin which is not a best practicies. Next week my local consultancy will start to work and if I got a real solution for that I will post here... dont worry.

anyway, thanks in advance for your message.

lets keep in touch!

We have 2 domain controllers in 1 domain, same subnet, both Windows 2008, nothing fancy.  I tried the 3 options: only the User-ID Agent, only the PAN Agent, both combined.  Always the same issue.

L1 Bithead

All.

I would like to comment on this discussion. Since we are all using the User Identification Agent on a remote box, one thing to check would be the LOGONSERVER for your username by running the SET command in a command prompt window. That LOGONSERVER is managing the security events for your username and if the User Identification Agent on the remote machine does not have the same LOGONSERVER IP Address in the configuration, then it won't be looking at the right server for your security events.

I was just about to update our UIA software before being told to look at this from PAN Support. Our UIA software is still on version 3.1.4. After double-checking the IP Address of the LOGONSERVER and making sure that it was inserted into the Domain Controller section, my user-ip-mapping was successful.

Hope all is fixed for you.

essilorbr wrote:

Hello,

After upgrading to version 5, are you still using agent installed in a DC ?

I hired a local consultancy and they said my problem would be related to different DCs in my environment.

I have DCs 2003 and DCs 2008. So my agent have different profiles concerning the rights to access to logs... Event log reader doesnt show up in some DCs.... etc etc..

As a temporary solution we configured agent user as domain admin which is not a best practicies. Next week my local consultancy will start to work and if I got a real solution for that I will post here... dont worry.

anyway, thanks in advance for your message.

lets keep in touch!

From memory, there is some difference in the security rights required to read/audit the security logs between a Windows 2003 domain controller and a Windows 2008 domain controller.

You'll need to modify those permissions LOCALLY on the Windows 2008 domain controller, especially if your domain functional mode is lower than 2008 native - a domain policy won't work.

I'm working from a really faint memory, so I can't recall the exact differences - but I know I ran into them at some point.

Check the security policy on the Windows 2008 domain controller, and make sure your user agent account has rights to "Manage Auditing and Security Log"

Not applicable

Hi all,

It seems we were able to solve the issue on our end.  We did an upgrade to 5.0.2, but that didn't solve it.  After troubleshooting with support, we found out that the log records without user info actually were caused by user information cache timeouts.  The reason that logs with and without user information were mixed had to do with the fact that we only logged on session-end.

So, what we did to resolve the problem was enable WMI probing and allow WMI requests on all client hosts.  This fixed the problem entirely.

I guess that increasing the cache timeout on the User-ID Agent would have the same effect.

The only thing we do not know and cannot find out without testing (don't have any time for that) is what the difference was between the firewalls running 4.1.6 and now 5.0.x.

Frederic

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!