Overview
For IP-to-user mappings, many networks have more than one monitored Active Directory or Domain Controller for data redundancy. Troubleshooting user mapping issues may be harder if the source of a particular user mapping is unknown. This document presents how to use the > show log userid command to obtain useful information regarding user mapping information, including how the user mapping was learned by the firewall.
Steps
As an example, one User-ID agent (Agent243) and one Agentless User-ID (Agentless243) are configured on the firewall.
- Verify the configured sources from which you are learning user mappings.
- For User-ID Agents hosted on a Windows machine, use the command:
> show user user-id-agent statistics
- For agentless User-ID configured on the firewall, use the following command:
> show user server-monitor statistics
- Verify the user mappings that are currently learned on the firewall, using either of these commands.
- For all known mappings on the firewall:
> show user ip-user-mapping all
- For user mappings to a specific IP - Example 1.1.1.1:
> show user ip-user-mapping ip 1.1.1.1
- Once you know enough about the configured data sources or users, you can use the > show log userid command to derive more useful information about the user mappings.
Note: Debug mode should be enabled on the User-ID process for in-depth logging
Examples of using the show log userid command:
- Determine the most recent addresses learned from the agenless user-id source:
> show log userid datasourcename equal Agentless243 direction equal backward
Domain,Receive Time,Serial #,Type,Threat/Content Type,Config Version,Generate
Time,Virtual System,ip,User,datasourcename,eventid,Repeat Count,timeout,
beginport,endport,datasource,datasourcetype,seqno,actionflags
1,2013/10/17 17:31:05,0006C114479,USERID,login,4,2013/10/17 17:31:05,vsys1,
10.66.22.60,plano2008r2\userid,Agentless243,0,1,2700,0,0,active-directory,
unknown,4434,0x0
1,2013/10/17 17:29:58,0006C114479,USERID,login,4,2013/10/17 17:29:58,vsys1,
10.66.22.85,plano2008r2\ldapsvc,Agentless243,0,1,2700,0,0,active-directory,
unknown,4342,0x0
- Determine the most recent mappings received for IP address 192.168.40.212:
> show log userid ip in 192.168.40.212 direction equal backward
Domain,Receive Time,Serial #,Type,Threat/Content Type,Config Version,Generate
Time,Virtual System,ip,User,datasourcename,eventid,Repeat Count,timeout,
beginport,endport,datasource,datasourcetype,seqno,actionflags
1,2013/10/17 17:09:33,0006C114479,USERID,login,3,2013/10/17 17:09:33,vsys1,
192.168.40.212,plano2008r2\tasonibare,Agent243,0,1,3600,0,0,agent,unknown,18,
0x0
- Determine the mappings that were identified through kerberos authentication:
> show log userid datasourcetype equal kerberos
- Determine the earliest recent mappings received for user 'piano2008r2\userid'
> show log userid user equal 'piano2008r2\userid'
Domain,Receive Time,Serial #,Type,Threat/Content Type,Config Version,Generate
Time,Virtual System,ip,User,datasourcename,eventid,Repeat Count,timeout,
beginport,endport,datasource,datasourcetype,seqno,actionflags
1,2013/10/17 17:09:33,0006C114479,USERID,login,3,2013/10/17 17:09:33,vsys1,
10.66.22.87,piano2008r2\userid,Agent243,0,1,3600,0,0,agent,unknown,8,0x0
1,2013/10/17 17:11:54,0006C114479,USERID,login,4,2013/10/17 17:11:54,vsys1,
10.66.22.87,piano2008r2\userid,Agentless243,0,1,2700,0,0,active-directory,
unknown,21,0x0
Note: The command above includes the domain and the username in quotes and the direction keyword was left out. This user has also been learned from both the agentless and user-id agent sources.
- Show all logs related to userid:
> show log userid
owner: tasonibare