we are facing the issue that the user identification is not working properly.
I am running PAN OS 4.1.4 on a PA-200 device and User-ID-Agent 4.1.4-3 on a Windows 2008 R2 member server.
The UI agent is connected to both the DCs (Windows 2003 servers) and our LAN address is entered in the list of configured networks.
Everything shows "green" and connected.
But I only see a subset of users that are currently logged in to the domain when I run "show user user-ip-mapping" in the CLI.
All users/workstations are in the IP range of the defined LAN.
Curiously I sometimes see IP addresses and users that are not within this subnet. It looks like these are the computer accounts of our internet providers DNS servers or so.
On our second site I have a similar setup.
There we have only one DC (Win 2008 R2) and the UI Agent is running directly on that server. All the versions are the same as in our first site.
Everything is running perfect over there.
Because of that I thought it might help to have the UI agent running directly on the DCs. I installed the agents on both DCs at our first site and set up the connections to the UI agents from the Firewall. The result is still the same: not all users are listed...
Any ideas what the issue could be?
On the UI Agent itself, do you find that the users are showing up correctly but that they are missing on the Firewall? Or, are the users missing on the UI Agent as well?
Note, the users will show up in the UI Agent when they authenticate against AD and their logon event is registered as a security event on the AD logs.
If you find that the users show up correctly on the UI Agent but not on the Firewall, then please contact the Support team.
If however, the users are missing on the UI Agent itself, then check the AD logs (and the logs on the UI Agent) to see if there are ticket granted events for those user log ons
The users are already missing on the UI agent. So it is clear that the firewall does not know them neither.
I changed to UI agent now to server session read = enabled and now the users are correctly identified.
It seems that the security tickets are not sufficient enough to keep the user-IP-mapping up to date.
Did anyone else had that experience as well?
GlobalProtect (optional licence and requires a client installed on all PCs) is the only way to do this properly from my experience. I tried eveything from User agent, autologon script etc etc ... 95% accurate at best , yet making 5% of population creating tickets because they don't have access to a resource.
If it's only to ID peolpe for internet, Captive Portal will do the job also.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!