IP-to-User Mappings Have Inconsistent Domain Prefix
92462
Created On 09/25/18 19:10 PM - Last Modified 02/25/21 03:58 AM
Symptom
- When show user ip-user-mapping all command is used, some IP-to-user mappings display inconsistent domain prefix
- The inconsistent domain prefix may cause the users listed with the DNS-domain name to hit the wrong security policy, if using group based policies.
- In the example below, some entries are listed as NetBIOS-domain\username, while others are listed as DNS-domain\username.
> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
-------------- ------ ----- ------------------------------ -------------- -------------
172.19.1.14 vsys1 AD subdomain.root.com\fflintsone 0 3
10.19.0.78 vsys1 AD subdomain\brubble 297 295
10.0.0.246 vsys1 AD subdomain.root.com\dino 0 3
Total: 3 users
Environment
- Any PAN-OS.
- Palo Alto Firewall.
- Agentless User-ID used in a multi-domain AD forest environment.
Cause
- The issue is seen when the domain map is not populated on the device.
- To check for the existence of the domain map run the command, debug user-id dump domain-map. No output is an indication of the problem as it is required to resolve the DNS to NetBIOS domain name. This resolution is required for the user to IP normalization process.
- The domain map can only be pulled a directory partition from a root domain controller.
Resolution
Resolution
- Create an LDAP (port 389 or 636) server profile that connects to one of the root domain controllers, this DC must also be a global catalog server.
- Create a group mapping profile that pulls at least one group from the root domain that uses the above LDAP server profile.
- Reset group mapping.
> debug user-id reset group-mapping all
- Restart User-ID by using the command
> debug software restart process user-id
- Confirm that the domain map now exits.
> debug user-id dump domain-map
Additional Information
All About User-ID Domain Map.