topic Terminal server from a single IP address, the firewall cannot distinguish which user generated which traffic! in Next-Generation Firewall Discussions

Terminal server from a single IP address, the firewall cannot distinguish which user generated which traffic!

Joao_Carvalho — Mon, 15 Sep 2025 07:02:25 GMT

When multiple users access a terminal server from a single IP address, the firewall cannot distinguish which user generated which traffic. The firewall maps the IP address to only one user.

After research, I resolved this issue with TSA, but I wanted to know if it's possible to determine which user actually owned the traffic from the past, before TSA was installed!

Re: Terminal server from a single IP address, the firewall cannot distinguish which user generated which traffic!

Raido_Rattameister — Mon, 15 Sep 2025 12:22:06 GMT

No you can't get historical data.

If you install TSA then every user will get block of source ports.

Outgoing traffic from specific user will be sourced from port range assigned to that user.

TSA hands over source block range to user mapping over to Palo that can then identify user based on what source port traffic came from.

As you don't have such source port mapping before TSA was installed you can't segregate user traffic from before TSA install.