Does the Firewall Query User-ID agent for an "unknown" user?
19422
Created On 03/30/19 02:44 AM - Last Modified 04/19/24 19:51 PM
Question
Does the next-generation firewall query the User-ID agent for an "unknown" users?
Environment
- Palo Alto Firewall.
- PAN-OS below 10.0.
- User ID configured to get mapping from the User-ID Agent
Answer
The User-ID agent will communicate with the firewall for any new User-ID mappings, and (by default) the firewall will query the User-ID agent for any IP addresses seen with user mapping as "unknown" in a zone that has User-ID enabled.
The default behavior is to query unknown users from the User-ID agent. The setting can be found using the following command.
admin@PA > show system state | match query
cfg.useridd.query-unknown-ip: 1
This behavior is configurable. To disable the next-generation firewall from querying the User-ID agent, Use the following command:
admin@PA > debug user-id query-unknown-ip off
cfg.useridd.query-unknown-ip: 0
Additional Information
From PAN-OS 10.0, the default behavior is changed not to query unknown users from the User-ID agent.
admin@PA > show system state | match query
cfg.useridd.query-unknown-ip: 0
If the user would like the firewall or Panorama to query unknown users to the User-ID agent as same as PAN-OS 9.1 or earlier, the following command would help to change to query unknown users to the User-ID agent.
admin@PA > debug user-id query-unknown-ip on
cfg.useridd.query-unknown-ip: 1
Details are documented in the PAN-OS 10.0 Release Notes as follows.
- Previously, if User-ID could not identify a user from the existing mappings, it would send a query for updated user mappings to all User-ID agents, which was useful if there was a longer time interval between updates. Now, the agents send the mapping updates to the firewall or Panorama in real time so there is no need to send the query for new mappings.