Palo Alto Networks Knowledgebase: How to Determine the Source of User Mappings

How to Determine the Source of User Mappings

7819
Created On 02/07/19 23:48 PM - Last Updated 02/07/19 23:48 PM
User-ID
Resolution

Overview

For IP-to-user mappings, many networks have more than one monitored Active Directory or Domain Controller for data redundancy. Troubleshooting user mapping issues may be harder if the source of a particular user mapping is unknown. This document presents how to use the > show log userid command to obtain useful information regarding user mapping information, including how the user mapping was learned by the firewall.

 

Steps

As an example, one User-ID agent (Agent243) and one Agentless User-ID (Agentless243) are configured on the firewall.

  1. Verify the configured sources from which you are learning user mappings.
    1. For User-ID Agents hosted on a Windows machine, use the command:
      > show user user-id-agent statistics
    2. For agentless User-ID configured on the firewall, use the following command:
      > show user server-monitor statistics
  2. Verify the user mappings that are currently learned on the firewall, using either of these commands.
    1. For all known mappings on the firewall:
      > show user ip-user-mapping all
    2. For user mappings to a specific IP - Example 1.1.1.1:
      > show user ip-user-mapping ip 1.1.1.1
  3. Once you know enough about the configured data sources or users, you can use the > show log userid command to derive more useful information about the user mappings.
    Note: Debug mode should be enabled on the User-ID process for in-depth logging
    • Enabled debug mode
      > debug user-id log-ip-user-mapping yes
    • Disable debug mode after acquiring the desired logs
      > debug user-id log-ip-user-mapping no

 

Examples of using the show log userid command:

  • Determine the most recent addresses learned from the agenless user-id source:
> show log userid datasourcename equal Agentless243 direction equal backward

Domain,Receive Time,Serial #,Type,Threat/Content Type,Config Version,Generate
Time,Virtual System,ip,User,datasourcename,eventid,Repeat Count,timeout,
beginport,endport,datasource,datasourcetype,seqno,actionflags

1,2013/10/17 17:31:05,0006C114479,USERID,login,4,2013/10/17 17:31:05,vsys1,
10.66.22.60,plano2008r2\userid,Agentless243,0,1,2700,0,0,active-directory,
unknown,4434,0x0

1,2013/10/17 17:29:58,0006C114479,USERID,login,4,2013/10/17 17:29:58,vsys1,
10.66.22.85,plano2008r2\ldapsvc,Agentless243,0,1,2700,0,0,active-directory,
unknown,4342,0x0
 

 

  • Determine the most recent mappings received for IP address 192.168.40.212:
> show log userid ip in 192.168.40.212 direction equal backward

Domain,Receive Time,Serial #,Type,Threat/Content Type,Config Version,Generate
Time,Virtual System,ip,User,datasourcename,eventid,Repeat Count,timeout,
beginport,endport,datasource,datasourcetype,seqno,actionflags

1,2013/10/17 17:09:33,0006C114479,USERID,login,3,2013/10/17 17:09:33,vsys1,
192.168.40.212,plano2008r2\tasonibare,Agent243,0,1,3600,0,0,agent,unknown,18,
0x0

 

  • Determine the mappings that were identified through kerberos authentication:
> show log userid datasourcetype equal kerberos

 

  • Determine the earliest recent mappings received for user 'piano2008r2\userid'
> show log userid user equal 'piano2008r2\userid'

Domain,Receive Time,Serial #,Type,Threat/Content Type,Config Version,Generate
Time,Virtual System,ip,User,datasourcename,eventid,Repeat Count,timeout,
beginport,endport,datasource,datasourcetype,seqno,actionflags


1,2013/10/17 17:09:33,0006C114479,USERID,login,3,2013/10/17 17:09:33,vsys1,
10.66.22.87,piano2008r2\userid,Agent243,0,1,3600,0,0,agent,unknown,8,0x0

1,2013/10/17 17:11:54,0006C114479,USERID,login,4,2013/10/17 17:11:54,vsys1,
10.66.22.87,piano2008r2\userid,Agentless243,0,1,2700,0,0,active-directory,
unknown,21,0x0

Note: The command above includes the domain and the username in quotes and the direction keyword was left out. This user has also been learned from both the agentless and user-id agent sources.

 

  • Show all logs related to userid:
> show log userid

 

owner: tasonibare



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpCCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language