About apasupulati

apasupulati · ‎01-02-2014

Suhaimi, No, Ldap server is configuration is required to pull user-group mappings, not in this case. If you're sure about the service account privileges(Be sure the user is part of the Distributed COM Users, Server Operators and Event Log Readers groups.), can you ensure the status of the AD shows up as 'Connected' on the firewall? You can run the following command to check the statistics as well- > show user server-monitor state all > show user server-monitor statistics Also, please ensure the firewall is connected to all the DC's the users are logging on to. User-ip-mappings are retrieved by the firewall by reading successful logon events from the security logs on DC. You can run 'set l' on the windows command prompt and that will show the DC user is logging onto. If all this is in place, looking at the userid debug logs should help. > debug user-id on debug > debug user-id set userid servermonitor > debug user-id set userid basic > debug user-id log-ip-user-mapping yes > tail follow yes mp-log useridd.log To turn these off- > debug user-id log-ip-user-mapping no > debug user-id unset all >debug user-id on info This will be a helpful document for you: https://live.paloaltonetworks.com/docs/DOC-5662 Hope that helps, Aditi

apasupulati · ‎12-31-2013

Also, if you're new to deploying User identification on the firewall, here's a good document to get a good understanding on how it works - https://live.paloaltonetworks.com/docs/DOC-5939

apasupulati · ‎12-31-2013

You should be able to configure upto 100 servers to poll, however if you have more than 10 servers, you should use a user-id agent as frequent reading of security logs from all the servers can impact the device CPU. Thanks, Aditi

apasupulati · ‎11-12-2013

Hello, This setup should be no different from a regular GP gateway and Portal configuration, even with the gateway L3 interface in DHCP mode. What issue do you see when you configure this? Refer: https://live.paloaltonetworks.com/docs/DOC-2904 https://live.paloaltonetworks.com/docs/DOC-2020 Thanks, Aditi

apasupulati · ‎11-07-2013

Hello, Please follow this document and ensure the device is correctly configured to pull groups from the Ldap server. How to Configure Group Mapping settings? CLI commands to check the groups retrieved and connection to the LDAP server: > show user group-mapping state all //shows the connection to ldap server and must show the 'domain users' group retrieved. Thanks, Aditi

apasupulati · ‎10-23-2013

If all the ip-mappings are discovered on the agent and not the firewall - 1. Are these users from a different subnet coming from a different source zone? all the source zones will need to have User-Id enabled so users can be identified on the firewall. 2. If coming from the same zone as the identified subnet, I'd re-check if the zone has any User-id ACL (include/exclude list) configured.

apasupulati · ‎10-22-2013

Hello, The PAN firewall should allow the reverse telnet traffic to traverse the firewall, but we don't support reverse telnet to be enabled on the firewall. Thanks, Aditi

apasupulati · ‎10-22-2013

Hello, The destination NAT is like static NAT, i.e. One to One translation. It looks like you're trying to do many to many, which is not possible by destination nat. Thanks, Aditi

apasupulati · ‎10-22-2013

Hello Adam, Since you mentioned this was working on PANOS 5.0.7, was the device upgraded or is that on a different firewall? Can you clarify if you're using the agent or the agentless? Do you have any include or exclude lists configured? Under the zone configuration or the user-id config. Pick a user machine whose mapping is not learnt and verify the logon server. Run "set l" at the windows cmd prompt to see which logon server the user logged onto. Confirm the user-id service is connected to the logon server/DC. If everything is setup correctly, we'd have to look at the logs. If using agentless, you can enable debugs for user-id service and tail the useridd.log. Or you can enable debug level logging on the user-id agent and check the Uadebug logs in the agent's directory. You can also refer: https://live.paloaltonetworks.com/docs/DOC-5662 Regards, Aditi

apasupulati · ‎10-22-2013

Hello, With IPsec mode enabled for GP, the client will make an ipsec connection first and use SSL connection as a fall back. Aditi

apasupulati · ‎10-10-2013

Enable the x-forwarded-for option on the PAN device, so the firewall can examine the HTTP headers for the X-Forwarded-for header which a proxy uses to store the original client IP address. You can then verify the URL-filtering logs to see if the real client IP is showing up in the Src field. You may also enable the Strip-x-forwarded-for option: The firewall zeros out the header value before forwarding the request, and the forwarded packets do not contain internal source IP information. Hope that helps! Aditi

apasupulati · ‎10-10-2013

You probably have a log-forwarding profile configured for each security policy, so the traffic and threat logs can be forwarded to the syslog server. So you can edit the log forwarding profile to not forward logs to the syslog server as indicated above by shasnain. Configure the Log settings under Device tab: Device tab--->Log settings-->System or Config to forward these logs to the syslog server. Hope that helps! Aditi

apasupulati · ‎10-10-2013

Brightcloud has just made a new seed file available: 4184 to fix this issue. Please upgrade to this version to resolve the issue. Thanks, Aditi

apasupulati · ‎10-10-2013

Hello, This behavior is expected, UserID does ip-user-mapping based off of the Windows Security logs and when a user RDP's to a machine, Windows logs the security event based on the IP of the PC that initiated the RDP. The only workaround for this to add the username: oalgt\ explotacio in the ignore users list. This is not an issue with the firewall or the agent. Refer: https://live.paloaltonetworks.com/docs/DOC-2893 Hope that helps, Aditi

apasupulati · ‎10-07-2013

Is the device successfully connected to the ldap server? Check the following information for the user-group mapping info on the firewall - >show user group-mapping state all //will show the connection status and retrieved groups. >show user user-IDs match-user <username> will show you the groups the user is mapped to. The ouput of "> show user ip-user-mapping ip 10.1.0.49" will not return any groups if the user's groups are not being used in a policy. -Groups that the user belongs to (used in policy) Thanks, Aditi

Member Since	‎10-18-2011 01:44 PM
Date Last Visited	‎09-24-2025 11:36 AM
Posts	87
Total Likes Received	43

Online Status	Offline
Date Last Visited	‎09-24-2025 11:36 AM

About apasupulati

Re: Agentless User-ID

Re: Agentless user-id: Can it connect to only one AD or to multiple ADs at the same time?

Re: Agentless user-id: Can it connect to only one AD or to multiple ADs at the same time?

Re: PA-200 with DHCP assigned Internet IP and GlobalProtect using self signed certs

Re: problem with group membership display in PAOS 5.0

Re: PANOS 5.0.8 User-ID problem.

Re: Does Palo Alto support reverse telnet?

Re: Destination NAT - Entire Subnet

Re: PANOS 5.0.8 User-ID problem.

Re: Global Protect / Enable IPSEC

Re: How real-time is User-ID?

Re: Policy allowing ping/snmp not performing as expected

Re: Global Protect / Enable IPSEC

Re: Agentless user-id: Can it connect to only one AD or to multiple ADs at the same time?

Re: Palo Alto Bandwidth Throttling

Women in Tech: Customer Advocate Bushra Ansar Syeda

Re: invalid configuration. Schema verification failed. profiles -> decryption unexpected here.

Re: Apple MAC's and User-ID

Re: Question on QOS

Re: Authentication Fallback

Re: Agentless User-ID

Re: Agentless user-id: Can it connect to only one AD or to multiple ADs at the same time?

Re: Agentless user-id: Can it connect to only one AD or to multiple ADs at the same time?

Re: PA-200 with DHCP assigned Internet IP and GlobalProtect using self signed certs

Re: problem with group membership display in PAOS 5.0

Re: PANOS 5.0.8 User-ID problem.

Re: Does Palo Alto support reverse telnet?

Re: Destination NAT - Entire Subnet

Re: PANOS 5.0.8 User-ID problem.

Re: Global Protect / Enable IPSEC

Re: Is it possible for PaloAlto to read the client IP address or User name from HTTP header (when using proxy server)?

Re: is it possible to exclude traffic and threat log from exporting to syslog server ?

Re: URL Filtering 4183 blocking Yahoo Mail as Phishing ?

Re: User loses privileges...UserID

Re: PA dont recognise the groups for one user

Unlock your full community experience!

About apasupulati