Empty User ID source Field in Traffic logs - Find authentication AD server

Empty User ID source Field in Traffic logs - Find authentication AD server

14173
Created On 06/08/22 03:08 AM - Last Modified 09/08/22 18:38 PM


Symptom


When monitoring traffic logs using GUI> Monitor > Traffic, User-id is missing for some traffic in traffic logs.

Environment


  • PAN-OS 9.1 and above.
  • Any Palo Alto Firewall.
  • User ID Agent (UIA)
  • Traffic Logs
  • Client machine - Windows 

Cause


User ID Agent (UIA) server is not monitoring the AD server to which user is authenticated .

Resolution


  1. From client machine verify which AD Server they are getting connected to, using 
  2. Click Start and enter CMD (Windows Vista/7/2008) or Start > Run > CMD (Windows XP/2003)
  3. When the CMD window opens,    enter the following and hit enter: 
 echo %logonserver% 
  1. The logon server will be displayed.
  2. Verify if the AD server details obtained from above output is added in User ID Agent configuration to monitor this AD server event logs ,only then this user-ip mapping information will be sent from AD server to UIA .
  3. If this AD server is missing in UIA configuration, add the same to resolve this issue.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CpwBCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language