How to Configure User Identification Timeout for PAN-OS integrated User-ID agent

How to Configure User Identification Timeout for PAN-OS integrated User-ID agent

16876
Created On 11/18/19 03:12 AM - Last Modified 11/18/19 03:23 AM


Objective
  • The PAN-OS integrated User-ID agent or Agentless user-id setup performs the same tasks as the Windows-based agent with the exception of NetBIOS client probing (WMI probing is supported)
  • This document explains how to configure cache timeout for user mapping to  ensure that the firewall has the most current user mapping information 


Environment
  • PAN-OS Firewall
  • Agentless user-id setup or PAN-OS integrated User-ID agent


Procedure
  • Navigate to Device --> User Identification
  • Click on "User Mapping" Tab
  • Click on "Edit" in section "Palo Alto Networks User-ID Agent Setup" 
       User-added image
  • Click on tab "Cache"
  • Check the option "Enable User Identification Timeout". This option will enable a timeout value for user mapping entries on the firewall. Once the timeout clue is reached for an user-ip mapping, Firewall will clear the mapping and collect a new mapping. 
       User-added image
  • Change the value in option "User Identification Timeout" to set a required timeout value. The timeout value is in minutes. Default value for this option is 45 and maximum value is 1440 
  • Click on Commit
CLI Configuration:
  • We can make this changes from CLI too. With the below command we can enable or disable the User Identification Timeout 
               #set user-id-collector setting enable-mapping-timeout <yes|no>
  • Below command can be used from CLI to change the user-ip mapping timeout value
              #set user-id-collector setting ip-user-mapping-timeout <1-1440>



 


Additional Information
Please refer the below link which explains how to achieve the same objective in Windows based user-id agent.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZzCAK


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNVyCAO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments