Palo Alto Networks Knowledgebase: IP-to-User Mappings Have Inconsistent Domain Prefix

IP-to-User Mappings Have Inconsistent Domain Prefix

18519
Created On 09/25/18 19:10 PM - Last Updated 12/14/19 02:49 AM
Group Mapping User-ID 8.1 8.0 9.0 PAN-OS
Symptom
  • When show user ip-user-mapping all command is used, some IP-to-user mappings display inconsistent domain prefix
  • The inconsistent domain prefix may cause the users listed with the DNS-domain name to hit the wrong security policy, if using group based policies.
  • In the example below, some entries are listed as NetBIOS-domain\username, while others are listed as DNS-domain\username.
> show user ip-user-mapping all
IP             Vsys   From  User                           IdleTimeout(s) MaxTimeout(s)
-------------- ------ ----- ------------------------------ -------------- -------------
172.19.1.14    vsys1  AD    subdomain.root.com\fflintsone      0              3
10.19.0.78     vsys1  AD    subdomain\brubble                  297            295
10.0.0.246     vsys1  AD    subdomain.root.com\dino            0              3
Total: 3 users

 



Environment
  • Any PAN-OS.
  • Palo Alto Firewall.
  • Agentless User-ID used in a multi-domain AD forest environment.


Cause
  • The issue is seen when the domain map is not populated on the device.
  • To check for the existence of the domain map run the command, debug user-id dump domain-map. No output is an indication of the problem as it is required to resolve the DNS to NetBIOS domain name. This resolution is required for the user to IP normalization process.
  • The domain map can only be pulled a directory partition from a root domain controller.


Resolution

Resolution

  1. Create an LDAP (port 389) server profile that connects to one of the root domain controllers, this DC must also be a global catalog server.
  2. Create a group mapping profile that pulls at least one group from the root domain that uses the above LDAP server profile.
  3. Reset group mapping.
> debug user-id reset group-mapping all
  1. Restart User-ID by using the command
> debug software restart user-id
  1. Confirm that the domain map now exits.
> debug user-id dump domain-map

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVDCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language