I installed User-ID Agent on the Windows DC, and it is working somewhat successfully. For some odd reason it recognizes the users from our domain but on the app's monitoring tab, where I can see the IP-User correlations, sometimes the users are identified like this:
and sometimes like this
Sometimes the latter converts to the first option sometimes not.
Also I'm not sure how it actually works. I was logged in to my computer and I could see myself at the list of users on User-ID Agent but after a few minutes I disappeared - while i was logged in to my machine, and actively using it. So I might be missing something?
Hi @olloczky1 ,
This is most probably caused by who user credentials where sent to the AD for authentication. But if your domain is properly configured you don't have to worry. As explained here All about User-ID domain map - Knowledge Base - Palo Alto Networks FW is able to handle this and "normalize" the username and use single format. The link describe this is happening at the integrated user-id agent (on the firewall itself), but I suspect the User-ID agent application is doing it as well, before sending it to the firewall.
You should be able to check how FW receives user-ip mapping from the agent by looking at User-ID logs on the FW:
Monitoring -> User-ID. There you can check the following columns (if not show by default you can add it)
- User: this will be the username after normalization
- User Provided by Source: self explanatory
- Source Name: the source of the user-ip-mapping information.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!