topic Re: User to IP mapping for LAN with computer on hybernet/sleep in General Topics

User to IP mapping for LAN with computer on hybernet/sleep

Niren.Vekaria — Wed, 18 May 2022 08:09:24 GMT

I have Palo Alto firewall and implemented the user ID in our environment. I am looking for some help on specific use case. I am hoping to get some answers/guidance for the same.

Firewalls : PA-820/850 as well VM-300

PAN OS : 9.1.13-h3/9.1.9

I have install the windows based user ID agent on couple of servers.

Windows Server OS : Server 2019 Standard

Palo's Windows User ID Agent : Version 9.1.2-9

Queries:

1. Is WMI probing still recommended option or no longer in use..?

2. We have lot of users don't shutdown their computers. I see a issue in mapping ip to user for these users/computers. They hybernet/sleep their computers and come to office next day, connect to wired network but windows users ID agent is not able to map their ip to user because there is no logon event on Domain controller. How to handle this use case..?

3. The second use case is that user is connected to wireless network and already logged in to computer on wireless network when in meeting. User comes back to desk and connect to docking station or wired network. I believe again there will not be any login event with wired IP address so it is not able to map the wired IP to user. How to handle this use case..?

We are using the 802.1x on wireless but there is no Authentication on Wired network currently.

Is there any other option to make sure all these use cases are covered..?

Thanks in advance.

Re: User to IP mapping for LAN with computer on hybernet/sleep

S.Cantwell — Fri, 20 May 2022 02:30:20 GMT

1. Is WMI probing still recommended option or no longer in use..? Not recommend..as it is too chatty.

2. for the scenario described... How to handle this use case..? Increase the timeout for the userID from 45 minutes to 24 hours.

Now personally, even if the machine is asleep during the night, GroupPolicy states that there should be GPO "check ins" at 90 min intervals throughout the day (please research/confirm how often GPO checkins are preferred on MS)

3. Scenario How to handle this use case..? GPO checkins should still be occuring every 90 minutes (please confirm).

Please consider implementing Authentication Policy to help force users to re-authenticate to the network if their IP is "unknown" to the network. (https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/authentication/authentication-policy)

Re: User to IP mapping for LAN with computer on hybernet/sleep

BPry — Sat, 21 May 2022 02:53:31 GMT

@Niren.Vekaria,

In addition to what @S.Cantwell mentioned, if you have Exchange in your environment you can use that to pull user-id from its logs as well. Exchange in general causes way more events to read from during normal operations than a just pulling through AD DCs.

Re: User to IP mapping for LAN with computer on hybernet/sleep

Niren.Vekaria — Thu, 02 Jun 2022 01:24:49 GMT

Thanks @BPry and @S.Cantwell for your response.

We are using Microsoft Office 365 and I think we can't look at events of M365 like on-prem exchange server.

I already increased timeout and it is helping but still I see some users not re-starting their computers and connect via LAN, IP and user mapping is not happening. GPO is getting pushed every 30 mins but I thought it will not create the login event for user ID agent to map the user to IP..?

I will have to explore the option of Authentication policy to see how that can help.. It will be challenging to implement it as we have few machines which are not part of domain as well.