User Group is Incorrect and not Hitting Correct Security Policies
Created On 09/25/18 19:24 PM - Last Modified 05/06/21 22:05 PM
In multi-domain environments, if a user belongs to more than one user group then the agent may show incorrect group mapping.
- Palo Alto Firewalls.
- Any PAN-OS.
- User ID Agent installed.
Windows session reading doesn't have domain info for the session hence the firewall cannot distinguish between multiple domains when a user is a part of multi domain enviornment.
- Confirm if Server Session Read is enabled on the User-Id Agent. This setting should be used only with single domain deployments.
- Read the UAdebug logs which can confirm the same. The Logs will be similar to that below:
Debug 377]: Server Session: user1 \\10.10.10.10 Debug 413]: IP 10.10.10.10 login name gets changed from domain1\user1 to domain2\user1.
- Windows session reading doesn't have domain info for the session hence the firewall cannot distinguish between domain2 and domain1. Disable the setting of "Enable Server Session Read" by unchecking the option.
- Restart the User-ID Agent service for the configuration change to take effect.
Note: UAdebug" log can be found in the User-ID installation folder under C:\Program Files (x86)\Palo Alto Networks\User-ID Agent