Source user information missing from the Traffic logs in multi-vsys environment

Source user information missing from the Traffic logs in multi-vsys environment

9656
Created On 06/07/22 15:51 PM - Last Modified 05/30/23 21:05 PM


Symptom


  • The source user field is not populating in Traffic logs (show log traffic) or showing intermittent information.
  • The source user information in Traffic logs is empty sometimes, even though the ip-user mapping exists on the firewall.
  • User-ID source is configured properly and ‘User-ID' is enabled for the zones.
  • The firewall is configured in multi-vsys mode.

Environment


  • Palo Alto Firewalls.
  • Supported PAN-OS.
  • multi-vsys configured on Firewall.
  • User-ID enabled.

Cause


  • User-ID redistribution is not enabled on the firewall.
  • When multi-vsys is configured on the firewall, the User-ID redistribution needs to be configured.
  • This is to ensure all vsys have the same ip-user mappings.

Resolution


  1. Assign one Virtual system as a User-ID hub. Details can be found in ​​​Share User-id Mappings Across Virtual Systems document.
  2. Select GUI: Device > Virtual Systems and then select the virtual system where you consolidated your User-ID sources.
  3. On the Resource tab, make this vsys a User-ID data hub and click Yes to confirm. Then click OK.
  4. Commit the configuration.
image.png
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CpvSCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail