05-16-2023 12:15 PM
I'm semi-reposting this because it didn't get any bites in another topic/discussion area and this seems to be a lot busier.
I'm having an issue where are users are showing up in the logs as both domainname\username and domainname.com\username.
Whenever I show the user names and group listings on our firewall from the CLI they show as domainname.com and that is how our group mappings are setup but the logs bounce between the two types of names.
This appears to be causing inconsistent application of our groups we have defined for URL filtering. One time a group gets applied presumably because it sees the user name as domainame.com\username and then when it isn't applied it is showing in log without the .com.
I'm not sure how to fix this. I tried changing the domain in the group mappings and GlobalProtect logins stopped working so I had to add it back.
Any ideas?
05-16-2023 12:52 PM
Hi @TonyDeHart ,
The different domain names usually come from different User-ID sources. Do you have multiple sources for User-ID? If so, under Monitor > User-ID is the naming convention consistent with each source?
If you have only 1 User-ID source, we can look into that also.
Thanks,
Tom
05-16-2023 01:40 PM
From what I can tell by looking all the sources have domainname.com set as the domain which could be an issue given the user agents on the windows servers that are being used probably source the domain as domainname. I can't control it or at least I see no way to control it. I'm going to try removing domainname.com from wherever I can find it and see if that works. When I tried it before GP logins broke but I could have missed a spot. My understanding is the domainname can be left blank and the Palo will figure it out.
05-16-2023 01:48 PM
Hi @TonyDeHart ,
That could be it! Try changing domainname.com to domainname for one source and see if that works.
Yes, the domain name can be left blank for most configurations, e.g. group mapping, authentication profiles, etc. You generally configure it as an override.
Thanks,
Tom
05-16-2023 01:57 PM
I made the changes to remove the domain from the group mapping but I had to put something in the GP Gateway so put domainname instead of domainname.com this time and it worked. When I left this blank in the GP Gateway I could not login.
What is odd still however is, while the results of show user group name return user names with as domainname\username now the show user ip-user-mapping ip x.x.x.x returns the username as domainname.com\username. And the ip-user-mapping has been inconsistent. Earlier today I did the same query for another IP and it was domainname\username.
Not sure what is up with that.
05-16-2023 02:14 PM
Hi @TonyDeHart ,
Just curious, where did you fill in the domain for the GP gateway?
Also, how many User-ID sources do you have?
Thanks,
Tom
05-16-2023 02:21 PM
Sorry that was probably confusing - I changed the user domain for the LDAP profile being used by the GP Gateway under Authentication Profiles. Blank did not work but domainname (w/o the .com) worked.
I only have one User-ID source under group mappings pointing to our AD domain.
I'm wondering if the system needs some time to flush out some of the old data/domain info. An early query I did with show user ip-user-mapping ip x.x.x.x returned the domainname.com\username and just now it returned the more proper domainname\username. More importantly it shows all the groups that user belongs to properly now too whereas it did not before.
Probably need to monitor this tomorrow and see if it is more consistent and working properly after some time has passed.
05-17-2023 01:02 PM
After waiting this out for the day it seems like the old domainname.com user names have finally flushed and I'm getting a consistent domainname\username entry in the logs.
Hopefully it stays this way but so far so good.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
