We have a customer who is using PA-3020 in L3 A/P cluster, running PanOS 5.0.2.
We have set up User-ID with PanAgent services (Primary and Secondary) installed on two different servers members of the domain.
User-ID is configured to be based on :
- Security logs
On 4 different servers :
- 2 AD servers
- 2 Exchange servers
The User-ID agents and the monitored servers are all well connected, and there is nothing wrong in the system logs regarding User-ID.
Most of the time, all is working fine : users are well identified and thus the proper rules are applied (based on user groups).
However, it seems that sometimes the User-ID just stops, and the users are no more identified. Indeed, we can see in the traffic log monitoring that the Source User field is empty. As a result, the applied rule is not the right one and the URL Filtering profile that is applied is not the expected one.
The customer is obviously complaining about this and I don't really know how to figure out what's wrong with this User-ID...
You can see on the following prinscreen that the Source User field is suddenly empty, and starting this point, the matched rule is of course not the same.
The user-ID agents are connected as you can see
And the monitored servers as well
Finally, the User-ID restarts after just 1 hour
How can I monitor the User-ID and ensure that this won't occur again ?
Or maybe this is a bug ?
While I don't know exactly why this is happening, there have been a great deal of fixes to various User-ID issues between 5.0.2 and 5.0.9. Some of the changes were indeed regarding ip-to-user mappings not displaying in logs, so it might be worth upgrading to 5.0.9 to see if the issue is resolved before going with a support ticket.
That said, you can also turn on debugging in the user ID process and tail the log. When the mapping starts to show up blank, turn off debugging and parse through the log to see what may be happening.
Turn on the debug:
> debug user-id on debug
Turn off the debug:
> debug user-id on info
Parse through the log (uses standard linux "less" navigation):
> less mp-log useridd.log
That may help explain what is going on when the mapping stops to display.
Hope this helps,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!