Inconsistent userID mapping when FQDN and netbios name are different
19069
Created On 03/05/19 00:01 AM - Last Modified 10/09/20 02:50 AM
Symptom
IP to user mappings on the firewall intermittently show with different domains as shown below (example output).
admin@firewall(active)> show user ip-user-mapping all IP Vsys From User IdleTimeout(s) MaxTimeout(s) ----------------------------------- ------ ------- -------------------------------- -------------- ------------- 10.1.100.22 vsys1 UIA testdomain.com\jsmith 26265 26265 10.1.100.26 vsys1 UIA sampledomain\user1 21234 21234 10.1.100.56 vsys1 UIA sampledomain\user2 28739 28739 10.1.100.19 vsys1 UIA sampledomain\user3 22501 22501
As the group mapping on the firewall uses sampledomain, user traffic sometimes does not match the correct security policy.
admin@firewall(active)> show user group name cn=access,ou=groups,dc=sampledomain,dc=com short name: sampledomain\access source type: ldap source: groups [1 ] sampledomain\jsmith [2 ] sampledomain\user1 [3 ] sampledomain\user2 [4 ] sampledomain\user3
Environment
- PAN-OS 8.1 and above.
- Palo Alto Networks firewall getting IP to user mapping from Windows agent.
- Only one Active Directory domain (sampledomain.com) but the Netbios name for the domain is different "testdomain".
Cause
In the case when the FQDN and Netbios name are different, the security logs in AD lave logon events for both domains and the most recent logon event would be the updated IP to user mapping.
NOTE: This is not a case of a multi-domain environment but just that the FQDN and NetBIOS names are different on Active Directory.
Resolution
To resolve the issue of mappings being seen for both sampledomain and testdomain we can add testdomain\* to the ignore list on the Windows userID agent.
When mappings for testdomain are received, the user agent will ignore them and not send the mapping to the firewall.
For details on how to update the ignore list on the Windows agent, please refer How To Ignore Users in User-ID.