About sjamaluddin

The PA 200 you said scours the ,local DC logs and so I presume you have an Agentless UserID agent there. Could you please check to see if this Agentless userID is set for "session read"  Device>>UserID>>User Mappinig>> Enable Session (is this checked)? If so, this means that when a user from the Child Domain uses one of the resources (like MS Exchange / file server), that user is logged and mapped. You stated that "That user only exists in the child domain but it uses various services hosted in the parent domain (like MS Exchange)" At the time that the user goes to one of these resources he/she gets logged with the Parent Domain If you'd like to NOT see the user with the Parent Domain, disable "Enable session" (Uncheck the box) so when a user does access those MS resources they are not mapped/logged  with the Parent domain ... View more

Hello Tau Are you running another instance of UserID Agent in the same device? I ask, as PAN Agent is what we called our older version of the UserID agent and I wonder if perhaps it has old info whereas your new info. is in another partition / directory. If so, could you please check to see if there is just this one PAN Agent on this server or if you might also be running a newer version called the UserID agent? Thanks Saba ... View more

Hi You said the Macs were bound to AD: "They are binded to AD , even if an AD user uses logs in to an Apple MAC there are no MS events in the security logs to forward to the User-ID agent." So, how are the Macs bound to AD? IF the users authenticate to AD there should be a logon event and if not, you may have to enable logging levels to show those logon events through: https://live.paloaltonetworks.com/docs/DOC-2801 These are then read according to: https://live.paloaltonetworks.com/docs/DOC-1262 You may also find https://live.paloaltonetworks.com/docs/DOC-5662 helpful. Thanks ... View more

Are your devices in HA and if so, are both devices active and sending syslog message to the syslog server? ... View more

Have you made this PAN firewall part of an AD domain? UDP port 137 appears to be some NETBIOS traffic and its unlikely that the management port will be spewing that out unless this PA has been included as a domain device. ... View more

You can create an LDAP server profile referring to your AD set up Pull the groups (under User Identification >> Group Mappings >> include List) that are of interest Reference this LDAP server and the interesting groups in the Authentication Profile Use the Authentication profile in the Global Protection Portal / Gateway configuration Once the user has been authenticated and been recognized as part of a particular group, any security policies you create for traffic between the SSL VPN zone and the Trust zone can reference the appropriate user groups and as such allow certain user groups (e.g.IT) to certain destination addresses and not others - depending on how you create your security policy As for the multiple authentications, you can authenticate to only one Portal but you can have multiple Gateways configured so your traffic can take different Gateways depending on the group they may belong to. This would have to be configured under the Global Protect >> Portal >> Client Config >> Gateways section However the first authentication will have to be to that one Portal and once the user falls in a particular group. you can decide which Gateway they can use. ... View more

You may want to also set the box for "log container pages" under each URL profile to diminish the number of links that show up against the user's URL activities. This will (should) limit the URLs that are spawned within each website and only register the main URLs. Though depending on the way the web page is designed, you may still see many URLs off of each page visit. ... View more

When creating security rules, in the Application section configure: Web Browsing but in the Service section refer to the ports you are interested in allowing. You may have to create a custom service and allow these non standard ports and then call that custom service in the security rule (where it says service). That way when traffic is checked against the security rule, you'd have web browsing AND the port (allowed via service) and only if the two web browsing on that non standard port match, will the traffic be allowed So e.g.  your service would look like Where service-http goes to 80 and 8080 and the security policy would be: ... View more

Please ensure you can ping the UserID agent server from the management interface - if not using the service route option So basic connectivity and access to the ports mentioned above are imperative ... View more

Usually the management IP address is used to access the userID agent If you have a UserID agent running on a DC that is on a different subnet than the management IP address then you'd have to ensure that there exists a route in your internal network permitting traffic exchange between the UserID agent and the management interface . You  can also create a service route (under management Set up) for the User ID traffic to be allowed to pass through the dataports to the UserID agent. ... View more

So the users that are at the remote location, do they authenticate to a DC on the firewall site? If so, then is the firewall  picking up these logon events from this local DC? Does this traffic then appear to be coming into the firewall from the local DC side or from the Untrust private MPLS side? I think the key is to understand that packet flow and what is expected - what ISP/ interfaces do you expect to receive and transmit on. As long as you have the correct mapping and are seeing traffic traverse the firewall (like a u Turn of some sort) the entries should be in the firewall log traffic logs. ----DC----Trust----|PAN FW|/// ISP 2----------------Internet                                  |                                  MPLS  ISP1 SO far if the remote users are coming in from ISP 1 and being routed to the DC on the trust side, is there a route saying that traffic must then exit out ISP 2? If so, perhaps the routing and zone security policies need some addressing. ... View more

Do you want the management interface to access the dynamic block list If so, 1. the dynamic block list must be referenced in a security policy 2. the management interface must have access to the web server that houses the dynamic block list 3. If you have a service route for the URL (brightcloud updates) pointing out of the Untrust or the Trust interface, the request for the dynamic block list will also go out that way as such you must then create as service route explicitly stating that to get to the web server with the block list use the management interface (you can configure this in the right hand panel of the service router configuration) ... View more

You are probably seeing those ssl decrypted sessions that NOW show up as web browsing. If you were to do a show session id <session #>, you'd probably see that the port used was 443 and the application was web browsing, implying that the ssl session was decrypted to expose the application that is web browsing ... View more

The reason the recommendation was to run the UserID agent on a domain contoller was that the communication between the domain controller and the UserID agent is very chatty. That's why to keep that chattiness local the USERID Agent was expected to run on the domain controller itself. If you now run the Agentless UserID on the firewall itself, you'd still see the chattiness between the PAN firewall and the domain contollers so that may be something to consider. ... View more

Is the Airport set to forward DHCP addresses responses back towards the clients? Do you have the Airport in Bridge mode? Was the Airport ever set to offer DHCP? Are you seeing any messages on the Airport regarding double NATing? What is interesting you said, that some Mac clients see private addresses. What is different about these and the Mac Clients that do receive the correct IP addresses? This may need further investigation.You may get additional info. when reviewing dhcpd.logs ... View more