Random Source Users are missing in the traffic logs when using ... - Knowledge Base - Palo Alto Networks

Random Source Users are missing in the traffic logs when using Terminal Server Agent (TSA)

20162

Created On 04/26/19 02:36 AM - Last Modified 04/26/19 03:47 AM

Terminal Server Agent

Traffic Log

User-ID

PAN-OS

Symptom

Traffic logs missing User-ID information from same Source IP Address

Zoomed in view:

Blue box = Same source IP
Red box = Missing source User-ID mapping

Source user has applications sending traffic through firewall on pre-defined source ports

Environment

Terminal Server Agent (TSA) providing User-ID information to Firewall based on Port Allocation.

Cause

TSA Source Port Allocation Range is 20,000-39,999. This is the full range of port numbers that the TS agent will allocate for user mapping.

Resolution

If the application running on the workstation is using a source port that is not in the Source Port allocation range allocated by the TSA, then the user will not be mapped. Hence the traffic logs will not show User-ID for logs that have source port out of the allocated range.

User-added image

User-added image

Workaround:
Source ports on the application need to be modified to come in on the configured Source Port allocation range of the TSA

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)