User ID Agent IP mapping overwritten by the AntiVirus Username

User ID Agent IP mapping overwritten by the AntiVirus Username

5697
Created On 02/28/19 23:17 PM - Last Modified 02/05/25 01:24 AM


Symptom


  • A user-id agent is learning mappings from Domain Controller DC
  • When a user logs into a Windows client machine, IP user mapping gets added to user-id agent.
  • After sometime, Windows client machine user mapping on user-id agent gets overwritten to username "AVUpdateMgr".

Environment


  • PAN-OS 8.1.4
  • User-ID Agent
  • Sophos AV software on the Windows client machine

Cause


  • An antivirus software on the PC talks to the Domain Controller DC using username "AVUpdateMgr".
  • As a result of this, IP user mapping on user-id agent gets overwritten to username "AVUpdateMgr".

Resolution


  1. Configure "AVUpdateMgr" in ignore user list on the user-id agent.
  2. Follow the steps listed at the start of the KB How to Ignore Users in User-ID which apply to the user-ID agent case
NOTE: For verification issue the following command on your NGFW CLI:
show user ip-user-mapping all | match AVUpdateMgr

Additional Information


To clear the user-ip cache use. 
clear user-cache ip a.b.c.d
To refresh the user-ip mappings from the agent, run the following command: 
debug user-id refresh user-id agent <value>
To reset (reconnect) the user-ip agent, run the following command: (this should be issued only during a Maintenance Window) 
debug user-id reset user-id-agent <value>

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boErCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail