User identification not working properly

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User identification not working properly

Not applicable

Hi,

we are facing the issue that the user identification is not working properly.

I am running PAN OS 4.1.4 on a PA-200 device and User-ID-Agent 4.1.4-3 on a Windows 2008 R2 member server.

The UI agent is connected to both the DCs (Windows 2003 servers) and our LAN address is entered in the list of configured networks.

Everything shows "green" and connected.

But I only see a subset of users that are currently logged in to the domain when I run "show user user-ip-mapping" in the CLI.

All users/workstations are in the IP range of the defined LAN.

Curiously I sometimes see IP addresses and users that are not within this subnet. It looks like these are the computer accounts of our internet providers DNS servers or so.

On our second site I have a similar setup.

There we have only one DC (Win 2008 R2) and the UI Agent is running directly on that server. All the versions are the same as in our first site.

Everything is running perfect over there.

Because of that I thought it might help to have the UI agent running directly on the DCs. I installed the agents on both DCs at our first site and set up the connections to the UI agents from the Firewall. The result is still the same: not all users are listed...

Any ideas what the issue could be?

Thanks!

Christof

7 REPLIES 7

L4 Transporter

On the UI Agent itself, do you find that the users are showing up correctly but that they are missing on the Firewall? Or, are the users missing on the UI Agent as well?

Note, the users will show up in the UI Agent when they authenticate against AD and their logon event is registered as a security event on the AD logs.

If you find that the users show up correctly on the UI Agent but not on the Firewall, then please contact the Support team.

If however, the users are missing on the UI Agent itself, then check the AD logs (and the logs on the UI Agent) to see if there are ticket granted events for those user log ons

The users are already missing on the UI agent. So it is clear that the firewall does not know them neither.

I changed to UI agent now to server session read = enabled and now the users are correctly identified.

It seems that the security tickets are not sufficient enough to keep the user-IP-mapping up to date.

Did anyone else had that experience as well?

GlobalProtect (optional licence and requires a client installed on all PCs) is the only way to do this properly from my experience. I tried eveything from User agent, autologon script etc etc ... 95% accurate at best , yet making 5% of population creating tickets because they don't have access to a resource.

If it's only to ID peolpe for internet, Captive Portal will do the job also.

Basically it is only for Internet usage, yes.

But I don't want people to have to authenticate manually for Internet use. The result of that may be that people share their passwords 😉

Thanks for sharing your experience!

Christof

GlobalProtect (optional licence) woud do the job great if you cannot set a 100% working solution with UserID (which is my case)

Basic Global Protect feature works also without the license. Things like

client HIP require the license.

Thanks

Christof

Hello,


I would highly recommend reading through the User Identification Tech Note found:(https://live.paloaltonetworks.com/docs/DOC-3120).


It may be the case that you need to increase your user-ip-mapping timeout value. In section 'Reading Security Logs' - It is recommended to set the user-ip-mapping timeout to half the DHCP lease time used in your environment.  The default AD domain configuration has client systems attempt to renew their ticket every 10 hours.


As you have discovered, you will maintain a more accurate user-ip-mapping with server session read enabled.

- Stefan

  • 3937 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!