Hi all, I tried to configure the User identification for our LAN zones with PAN OS 7.1.3. I have the following Environment Windows 2012 R2 Server PA-500 with 7.1.3 I can see more than 200 users known by the firewall admin@firewall(active)> show user user-ids User Name Vsys Groups ------------------------------------------------------------------ test.domain.com\user1 vsys1 cn=domain users,cn=users,dc=test,dc=domain,dc=com ... ... I also can see the mapping of users to IP addresses for the GP Logins admin@firewall(active)> show user ip-user-mapping all IP Vsys From User IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 10.xxx.xxx.xxx vsys1 GP domain\user1 9448 9448 .... but not for the Users in our LAN environemnt 192.xxx.xxx.xxx vsys1 Unknown unknown 3 6 but I can see the user I've configured for wmi-auth 10.xxx.xxx.xxx vsys1 AD domain\wmi-auth-user 1785 1785 I tried it with ther User ID Agent on the AD Server itself and withouth the User ID Agent but there is no mapping between the IP address and the User in our LAN. Without User ID Agent "Enable User Identification" is activated on the LAN Zone of the firewall The AD server is configured as a Server admin@firewall(active)> show user server-monitor state all UDP Syslog Listener Service is disabled SSL Syslog Listener Service is disabled Server: adserver.test.domain.com(vsys: vsys1) Host: adserver.test.domain.com num of log query made : 58692 num of log query failed : 9 num of log read : 6911 last record timestamp : 1467785964 last record time : 20160706061924.113696-000 No network is included/excluded Client Probing is enabled too With User ID Agent Configured in nearly the same way, no real error on the logfile of the Agent 07/05/16 14:42:27:213[ Info 1935]: ------------Service is being started------------ 07/05/16 14:42:27:213[ Info 1942]: Os version is 6.2.0. 07/05/16 14:42:27:228[Error 568]: Cannot read debug log level with error 2(The system cannot find the file specified. ) 07/05/16 14:42:27:228[ Info 571]: Load debug log level Debug. 07/05/16 14:42:27:228[ Info 527]: Service version is 7.0.4.5. 07/05/16 14:42:27:228[ Info 574]: Product version is 7.0.4-5. 07/05/16 14:42:27:228[ Info 1015]: Found 0 ACL config. 0 processed. 07/05/16 14:42:27:228[ Info 1043]: Found 0 VM info source config. 0 processed. 07/05/16 14:42:27:228[ Info 1051]: Found 0 Syslog Profile(s) config. 07/05/16 14:42:27:228[ Info 1103]: Found 2 server config. 07/05/16 14:42:27:228[ Info 1138]: Found 0 include-exclude networks. 0 processed. 07/05/16 14:42:27:228[ Info 1163]: Found 0 custom log format config. 07/05/16 14:42:27:228[ Info 175]: Load 8 build-in formats and 0 custom formats for parsing security log. 07/05/16 14:42:27:228[Debug 322]: pool(probing): create worker thread 11768 07/05/16 14:42:27:228[Debug 322]: pool(probing): create worker thread 10404 07/05/16 14:42:27:228[Debug 322]: pool(probing): create worker thread 8916 07/05/16 14:42:27:228[Debug 322]: pool(probing): create worker thread 14108 07/05/16 14:42:27:228[ Info 1142]: Loaded 0 AD ip user mappings from file took 0 seconds 07/05/16 14:42:27:228[ Info 318]: DC security log and session query threads for server adserver.test.domain.com(index 0) are started. 07/05/16 14:42:27:228[ Info 318]: DC security log and session query threads for server adserver2.test.domain.com(index 1) are started. 07/05/16 14:42:27:228[ Info 624]: Active Direcotry gets started. 07/05/16 14:42:27:228[ Info 652]: User-ID VM monitor service started. 07/05/16 14:42:27:228[Debug 355]: Event: type="server status" name="10.xxx.xxx.xxx" status="Connecting" 07/05/16 14:42:27:228[Debug 355]: Event: type="server status" name="10.xxx.xxx.xxx" status="Connecting" 07/05/16 14:42:27:228[Debug 355]: Event: type="server status" name="10.xxx.xxx.xxx" status="Connected" 07/05/16 14:42:27:228[ Info 1416]: Connect succeeds on DC adserver.test.domain.com. 07/05/16 14:42:27:244[Debug 220]: Read security log succeed for DC adserver.test.domain.com. 07/05/16 14:42:27:244[Debug 355]: Event: type="server status" name="10.xxx.xxx.xxx" status="Connected" 07/05/16 14:42:27:244[ Info 1416]: Connect succeeds on DC adserver2.test.domain.com. 07/05/16 14:42:27:307[Debug 220]: Read security log succeed for DC adserver2.test.domain.com. 07/05/16 14:42:27:400[Debug 694]: Service started. 07/05/16 14:42:27:400[Debug 355]: Event: type="service status" status="started" 07/05/16 14:42:27:400[Debug 996]: Device listening thread started. 07/05/16 14:42:27:791[ Info 869]: New connection 127.0.0.1 : 65418. 07/05/16 14:42:27:791[Debug 911]: DevLink: Changed the default rx buffer size to 0x100000 for 127.0.0.1, port 65418 07/05/16 14:42:27:791[Debug 921]: DevLink: Changed the default tx buffer size to 0x100000 for 127.0.0.1, port 65418 07/05/16 14:42:27:791[ Info 942]: Device thread 0 with 127.0.0.1 : 65418 is started. 07/05/16 14:42:27:791[ Info 3254]: Device thread 0 accept finished 07/05/16 14:42:27:791[Debug 3302]: Device thread 0 SSL no certificate 07/05/16 14:42:27:791[Debug 2025]: Device thread 0 added job 1 for get-all 07/05/16 14:42:27:791[Debug 1493]: Device thread 0 send device status 127.0.0.1 : 65418 Connected 07/05/16 14:42:27:791[Debug 1950]: Device thread 0 proc get-all on thread 13740 job 1 07/05/16 14:42:27:791[ Info 755]: AD Get-all started for device thread 0 from 127.0.0.1 07/05/16 14:42:27:791[ Info 821]: AD Get-all returned 0 AD entries for device thread 0 07/05/16 14:42:28:057[Debug 1529]: Device thread 0 send server status adserver.test.domain.com(10.141.0.65) Connected 07/05/16 14:42:28:275[Debug 1529]: Device thread 0 send server status adserver2.test.domain.com(10.133.0.3) Connected 07/05/16 14:42:28:525[Debug 1529]: Device thread 0 send server status adserver.test.domain.com(10.141.0.65) Connected 07/05/16 14:42:28:729[Debug 1529]: Device thread 0 send server status adserver2.test.domain.com(10.133.0.3) Connected 07/05/16 14:42:29:494[Debug 284]: Reading 51200 security logs takes 2265 ms for DC adserver.test.domain.com. 07/05/16 14:42:38:446[Debug 284]: Reading 34214 security logs takes 11203 ms for DC adserver2.test.domain.com. But I can not see any User to IP Mapping on the Agent. From my perspective the wmi-auth-user has the right permissions to read the security logfile of the AD Server. Do you have any Idea how to proceed? Thanks, Stephan
... View more