I've got a PA500 pair with 4.1.7 where PAN agent has been replaced with group mapping, whereby I now need to install a user-id agent instead of the PAN agent to get any user details in the logs and use in policy (is that statement correct?) I'm having a few problems, * user accounts to IP devices seem to pick up the wrong one, from what I can think of its AV using a service account that changes the name of the user account, not 100% sure. So I see a lot of "service" usernames hitting my firewall log and thus my user policy does not apply. * even though I've got a group defined on a policy rule that the specific user applies to and I can see in the monitor logs that this specific user tries to connect with it's src IP to dst IP but misses the rule and goes into my explicit drop rule. I've looked in the CLI to see if the PA know's what users apply to this rule and I can see the users populated there. The rule looks like this: Source Zone: Trust Destination Zone: Untrust User: usergroup Application: ms-rdp,t.120,rdp2tcp Rest left at their defaults I kick off an RDP from a Trust location to Untrust and I see in the logs it's hitting my explicit drop rule. As soon as I take the user group out of the policy it hits the rule. So I'm a bit confused. How can I further troubleshoot this and where can I fix it? The Userid agent is residing on the same server that still has the PAN agent (so had to change the listener port from 8888 and also the PA to another port, they connect fine to both LDAP and the userid agent but the information that the Userid agent picks up is not always correct.)
... View more