UserID not 'working'

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

UserID not 'working'

Not applicable

I've got a PA500 pair with 4.1.7 where PAN agent has been replaced with group mapping, whereby I now need to install a user-id agent instead of the PAN agent to get any user details in the logs and use in policy (is that statement correct?)

I'm having a few problems,

* user accounts to IP devices seem to pick up the wrong one, from what I can think of its AV using a service account that changes the name of the user account, not 100% sure. So I see a lot of "service" usernames hitting my firewall log and thus my user policy does not apply.

* even though I've got a group defined on a policy rule that the specific user applies to and I can see in the monitor logs that this specific user tries to connect with it's src IP to dst IP but misses the rule and goes into my explicit drop rule. I've looked in the CLI to see if the PA know's what users apply to this rule and I can see the users populated there.
The rule looks like this:

Source Zone: Trust

Destination Zone: Untrust

User: usergroup

Application: ms-rdp,t.120,rdp2tcp

Rest left at their defaults

I kick off an RDP from a Trust location to Untrust and I see in the logs it's hitting my explicit drop rule. As soon as I take the user group out of the policy it hits the rule. So I'm a bit confused.

How can I further troubleshoot this and where can I fix it? The Userid agent is residing on the same server that still has the PAN agent (so had to change the listener port from 8888 and also the PA to another port, they connect fine to both LDAP and the userid agent but the information that the Userid agent picks up is not always correct.)

1 accepted solution

Accepted Solutions

Hello,

Your statement is indeed correct .

Under the LDAP configuration:- Device--->LDAP is the domain field empty or have you put in the entire domain name. If so please change it to the netbios name for ex:- abcd.com, doamin field should be set as abcd.

Please let us know if this works.

.

Thank you.

Subijith Raghunandan.

View solution in original post

4 REPLIES 4

Not applicable

So update, it works with a specific username if I type: DOMAIN\USERNAME it does not work if I use the full CN path to the username and specific groups is not working either. Confused to where I should be troubleshooting this, any input would be greatly appriciated.

Hello,

Your statement is indeed correct .

Under the LDAP configuration:- Device--->LDAP is the domain field empty or have you put in the entire domain name. If so please change it to the netbios name for ex:- abcd.com, doamin field should be set as abcd.

Please let us know if this works.

.

Thank you.

Subijith Raghunandan.

It was set with the domain name (domain.com example) I've changed it now, I did think that the group mapping that uses the ldap server profile was working since I could see the groups populated on the firewall policy.

Best Practices using LDAP Servers

• If the underlying directory is Active Directory, make sure the “Domain” field of the LDAP Server matches the NETBIOS name of the domain.

^ Did actually read that but must have gotten confused along the way, created a funny problem. Shame it was "working" but not if you understand, makes it harder to troubleshoot 😉

It's "all" working now, maybe you have some answer to my other query since you helped greatly with that little change Smiley Wink

Not applicable

Just a quick note that I noticed. After I changed the domain name to NETBIOS name I no longer could get the groups from the within the policy. The group filter under group mappings was empty could only see the base dn. I deleted the group mappings and created it again and I could then see the groups once more. Smiley Happy

  • 1 accepted solution
  • 3513 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!