Random Source Users are missing in the traffic logs when using Terminal Server Agent (TSA)

Random Source Users are missing in the traffic logs when using Terminal Server Agent (TSA)

16495
Created On 04/26/19 02:36 AM - Last Modified 04/26/19 03:47 AM


Symptom


  • Traffic logs missing User-ID information from same Source IP Address 
User-added image

Zoomed in view:
Blue box = Same source IP
Red box = Missing source User-ID mapping
User-added image
  • Source user has applications sending traffic through firewall on pre-defined source ports

Environment


Terminal Server Agent (TSA) providing User-ID information to Firewall based on Port Allocation.

Cause


TSA Source Port Allocation Range is 20,000-39,999. This is the full range of port numbers that the TS agent will allocate for user mapping. 

Resolution


If the application running on the workstation is using a source port that is not in the Source Port allocation range allocated by the TSA, then the user will not be mapped. Hence the traffic logs will not show User-ID for logs that have source port out of the allocated range.

User-added image

User-added image

Workaround:
Source ports on the application need to be modified to come in on the configured Source Port allocation range of the TSA
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLn7CAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail