3/25/2014 User-ID Agent Setup Tips | Palo Alto Networks Live

All Places > Knowledge Base > Documents

User-ID Agent Setup Tips Version 14

created by PANW1337 on May 21, 2009 12:43 PM, last modified by PANW1337 on Feb 7, 2014 9:22 AM

User ID Agent requirements:

Must be running Windows 2008 or 2003 Server that is a member of the domain in question. (altough it
can be run directly on the AD server, it is not recommended)
The service must be running as a domain account that has local administrator permissions on the User-
ID Agent server.
The service account must have permission to read the security log. In Windows 2008 and later
domains, there is a built in group called Event Log Readers that provides sufficient rights for the
agent. In prior versions of Windows, the account must be given the Audit and manage security log
user right through a group policy. Making the account a member of the Domain Administrators group will
provide rights for all operations.
If using WMI probes the service account must have the rights to read the CIMV2 name space on the
client workstation, domain admin has this by default
If using one User-ID agent make sure it includes all domain controllers in the discover list.
The domain controller (DC) must log successful login information.

The User-ID Agent monitors the domain controllers for the following events:
Windows 2003
672 (Authentication Ticket Granted, which occurs on the logon moment),
673 (Service Ticket Granted)
674 (Ticket Granted Renewed which may happen several times during the logon session)
Windows 2008
4768 (Authentication Ticket Granted)
4769 (Service Ticket Granted)
4770 (Ticket Granted Renewed)
For account logon, DC records event ID 672 as the first logon for authentication ticket request.
No relevant account logoff event gets recorded.
If NetBIOS probing is enabled any connections to a file or print service on the Monitored Server list will
also be read by the agent. These connections provide updated user to IP mapping information to the
agent. In all cases the newer event for user mapping will overwrite older events.
If WMI probing is enabled make sure the probing interval is set to a reasonable value for the amount of
workstations it may need to query. For example, if there are 5,000 hosts to probe do not set a probing
interval of 10 minutes. Both of these settings are under User Identification > Setup > Client Probing on
the User ID agent:

file:///Users/ple/Box%20Sync/Additional%20Info/User-ID%20Agent%20Setup%20Tips.html 1/4
3/25/2014 User-ID Agent Setup Tips | Palo Alto Networks Live

In some cases the WMI probe will fail because the workstation may be running a local firewall or it may
not be a member of the domain. If this happens the mapping could be deleted once the cache timeout
is exceeded even though the workstation is up and passing traffic. To test, run the following command
from the User-ID agent.
wmic/node:workstationIPaddresscomputersystemgetusername
It should return the user currently logged in to that computer
If you are not confident the workstations will respond to WMI probes, set the user ID cache
timeout to a higher value since the mapping will be dependent upon the users login events. In this
case if the cache timeout is exceeded after the initial login event, the mapping will be deleted
even though the user is still logged in. This setting is under User Identification > Setup > Cache on
the User ID agent:

Confirm that you have all of your domain controllers in the list of servers to monitor, if you do not you
may not get all of the User to IP mappings since any domain controller can potentially authenticate the
users
Confirm that your Domain Controller list is accurate, you can run the following command from a domain
controller to get a list of all the domain controllers:
dsqueryserverordn (this should print out a list of your DCs). Remove any DCs that no

file:///Users/ple/Box%20Sync/Additional%20Info/User-ID%20Agent%20Setup%20Tips.html 2/4
3/25/2014 User-ID Agent Setup Tips | Palo Alto Networks Live

longer exist.
Confirm that user ID is enabled on the zone in which the traffic will be sourced from. This setting is
under Network > Zones:

Helpful commands on the firewall

Status of the Agent and connection statistics
showuseruseridagentstateall
Display IP mappings
showuseripusermappingall
Display a single IP mapping with details including group info
showuseripusermappingipIPaddress
Display the groups being parsed on the firewall
showusergrouplist
Display the members of a group according to the firewall
showusergroupnamegroupname(this will be the DN)
Delete a group mapping and rebuild it
debuguseridcleargroupgroupname
debuguseridrefreshgroupmappingall

owner: jteetsel

7563 Views Categories: User-ID & Authentication

Tags: user-id , troubleshooting , group , userid_agent , group_mapping , user_mapping

Average User Rating

(19 ratings)

2 Comments

kaz Jul 15, 2011 12:27 AM

Hi,

I would like to confirm,

NetBIOS /SMB probing:

The PANAgent login should have rights to workstation for probing.

Workstation must allow port 137-139 and port 445

file:///Users/ple/Box%20Sync/Additional%20Info/User-ID%20Agent%20Setup%20Tips.html 3/4
3/25/2014 User-ID Agent Setup Tips | Palo Alto Networks Live

Does the port numbers using NetBIOS probing by UIA

137/udp, 138/udp, 139/tcp and 445/tcp?
Like (0)

mehodgson Mar 19, 2012 12:26 PM

I'd like to have access to the "dclocator.exe" program. The FTP instructions above don't seem to work
for me.
Please advise...
Like (0)

1.866.320.4788
PrivacyPolicy LegalNotices SiteIndex Subscriptions
Copyright20072013PaloAltoNetworks

Home | Top of page | About Jive | Help 2007-2012 Jive Software |

file:///Users/ple/Box%20Sync/Additional%20Info/User-ID%20Agent%20Setup%20Tips.html 4/4