Overview
User-ID is enabled and the logs on the Palo Alto Networks firewall sometimes show users as "Unknown."
Details
The User-ID Agent caches user mapping information for the duration of the "Age-out Timeout" which defaults to 45 minutes. When a new user logs in, then the timer resets.
The Palo Alto Networks firewall connects to the User-ID Agent upon configuration commit or after a reboot. The firewall retrieves both Group and User information from the User-ID Agent.
When traffic is received from an IP address that is not yet known (unknown) the UIDAgent is queried for user information and an entry is created on the firewall with a lifetime equal to the timeout left on the UIDAgent's cached entry
The following is an example of a scenario when a user may become "Unknown" to the Palo Alto Networks firewall:
- A user logs in at Time0 (T0), the User-ID Agent sees the login in the AD security log and maps the IP to the user. The entry is sent to the firewall and it also creates an entry with the same lifetime (MaxTimeout) as the UIDAgent
- 30 minutes later (T0 + 30), the user sends data through the firewall. User is still identified.
- 14 minutes later (T0 + 44), the user sends more data. The user still has an active mapping.
- 2 minutes later (T1 = T0 + 46), the mapping on the agent ages out, and the removal is communicated to the firewall. Mapping is deleted on the firewall.
- 58 minutes later (T1 + 58), the user sends more data. The cache on the firewall was expired, so it requests an IP mapping from the agent but receives "Unknown" user
Note: This user will remain "Unknown" until :
-
- the user logs back into the domain
- a positive security audit log is picked up by the UIDAgent
- a wmi/netbios probe positively identifies the user
The User Identification Timeout on the User-ID Agent is currently set to 45 minutes, which means the ip-user-mapping is cached for 45 minutes. After 45 minutes, the mapping is cleared. Subsequently, if the ip-user-mapping is requested again for the same IP, the User-ID Agent may attempt to use NetBIOS/WMI probes to determine the user at the IP address, if this configuration is enabled and supported on the network.
Resolution
When the user logs back into the domain, the user mapping will update automatically and the username will appear in the Palo Alto Networks firewall logs.
To verify if WMI probing is working in the environment, run the command below from User-ID Agent device to any device in the domain. If WMI is working, it will return the name of the user logged on. If the WMI is not working, an error will be returned. This is the same mechanism used by the User-ID Agent in WMI probing.
> wmic /node:<hostname> computersystem get username
Eg. :
> wmic /node:10.1.1.1 computersystem get username
username
example\testuser
here,
10.1.1.1 : IP being probed
example : Domain name of the user
testuser : username of the user with IP 10.1.1.1
The use of WMI is dependent on the Windows versions and the way the Windows machines are setup (what are the system settings, what services are enabled/disabled on the device, is there a host-based firewall running and so forth).
If users remain 'stationary' (using the same IP address most of the day) the User Identification Timeout can also be increased to several hours or even a full workday
Note: If WMI probing is not used, then increase the user identification timeout to 600 minutes (either on the firewall or User ID Agent)