User-ID Agent Setup Tips | Palo Alto Networks Live 3/24/15, 11:24 AM

All Places > Knowledge Base > Documents

User-ID Agent Setup Tips Version 20

created by PANW1337 on May 21, 2009 12:43 PM, last modified by panagent on Apr 14, 2014 7:41 AM

User-ID Agent requirements:

Must be running Windows 2008 or 2003 Server that is a member of the domain in question. (altough it can
be run directly on the AD server, it is not recommended)
The service must be running as a domain account that has local administrator permissions on the User-ID
Agent server.
The service account must have permission to read the security log. In Windows 2008 and later domains,
there is a built in group called Event Log Readers that provides sucient rights for the agent. In prior
versions of Windows, the account must be given the Audit and manage security log user right through a
group policy. Making the account a member of the Domain Administrators group will provide rights for all
operations.
If using WMI probes the service account must have the rights to read the CIMV2 name space on the client
workstation, domain admin has this by default
If using one User-ID Agent make sure it includes all domain controllers in the discover list.
The domain controller (DC) must log successful login information.

The User-ID Agent monitors the domain controllers for the following events:
Windows 2003
672 (Authentication Ticket Granted, which occurs on the logon moment),
673 (Service Ticket Granted)
674 (Ticket Granted Renewed which may happen several times during the logon session)
Windows 2008
4768 (Authentication Ticket Granted)
4769 (Service Ticket Granted)
4770 (Ticket Granted Renewed)
4624 (Logon Success)
For account logon, DC records event ID 672 as the first logon for authentication ticket request.
No relevant account logo event gets recorded.
If NetBIOS probing is enabled any connections to a file or print service on the Monitored Server list will also
be read by the agent. These connections provide updated user to IP mapping information to the agent. In all
cases the newer event for user mapping will overwrite older events.
If WMI probing is enabled make sure the probing interval is set to a reasonable value for the amount of
workstations it may need to query. For example, if there are 5,000 hosts to probe do not set a probing
interval of 10 minutes. Both of these settings are under User Identification > Setup > Client Probing on the
User-ID agent:

https://live.paloaltonetworks.com/docs/DOC-1052 Page 1 of 5
User-ID Agent Setup Tips | Palo Alto Networks Live 3/24/15, 11:24 AM

In some cases the WMI probe will fail because the workstation may be running a local firewall or it may not
be a member of the domain. If this happens the mapping could be deleted once the cache timeout is
exceeded even though the workstation is up and passing trac. To test, run the following command from
the User-ID agent.
wmic /node:workstationIPaddress computersystem get username
It should return the user currently logged in to that computer
If you are not confident the workstations will respond to WMI probes, set the user ID cache timeout to a
higher value since the mapping will be dependent upon the users login events. In this case if the cache
timeout is exceeded after the initial login event, the mapping will be deleted even though the user is still
logged in. This setting is under User Identification > Setup > Cache on the User ID agent:

Confirm that you have all of your domain controllers in the list of servers to monitor, if you do not you may
not get all of the User to IP mappings since any domain controller can potentially authenticate the users
Confirm that your Domain Controller list is accurate, you can run the following command from a domain
controller to get a list of all the domain controllers:

https://live.paloaltonetworks.com/docs/DOC-1052 Page 2 of 5
User-ID Agent Setup Tips | Palo Alto Networks Live 3/24/15, 11:24 AM

dsquery server o rdn (this should print out a list of your DCs). Remove any DCs that no longer
exist.
Confirm that user ID is enabled on the zone in which the trac will be sourced from. This setting is under
Network > Zones:

Helpful commands on the firewall

Status of the Agent and connection statistics
show user user-id-agent state all
Display IP mappings
show user ip-user-mapping all
Display a single IP mapping with details including group info
show user ip-user-mapping ip IPaddress
Display the groups being parsed on the firewall
show user group list
Display the members of a group according to the firewall
show user group name group name (this will be the DN)
Delete a group mapping and rebuild it
debug user-id clear group group name
debug user-id refresh group-mapping all

owner: jteetsel

16208 Views Categories: User-ID & Authentication

Tags: user-id, troubleshooting, group, userid_agent, group_mapping, user_mapping

Average User Rating

https://live.paloaltonetworks.com/docs/DOC-1052 Page 3 of 5