https://live.paloaltonetworks.com/t5/general-topics/user-agent-and-active-directory-2008/m-p/1839#M1365 <HTML><HEAD></HEAD><BODY><P>Are you logging succes and failures for the "audit account logon events" and "audit logon events' on the domain controllers?</P></BODY></HTML> Tue, 05 Apr 2011 12:51:03 GMT mharding 2011-04-05T12:51:03Z https://live.paloaltonetworks.com/t5/general-topics/user-agent-and-active-directory-2008/m-p/1838#M1364 <HTML><HEAD></HEAD><BODY><P>I would like to know if there are some known issues about communications between useragent and AD2008 ?</P><P>We are migrating from AD2003 to AD2008 and some User-ID associations are missed :smileyangry:</P><P>We are not using security logs at the moment but only the session table monitoring.</P><P>We already have opened&nbsp; a case but I would like to share this experience.</P><P></P><P>We also encountered some issues with Juniper Firewall and AD2008. The ALG MS-RPC features based on UUID matching no longer works.</P><P></P><P>Is the UUID used by Palo Alto agents when communicating with the AD ?</P><P></P><P>Thanks for your help.</P></BODY></HTML> Tue, 05 Apr 2011 04:32:51 GMT https://live.paloaltonetworks.com/t5/general-topics/user-agent-and-active-directory-2008/m-p/1838#M1364 bdaussin 2011-04-05T04:32:51Z https://live.paloaltonetworks.com/t5/general-topics/user-agent-and-active-directory-2008/m-p/1839#M1365 <HTML><HEAD></HEAD><BODY><P>Are you logging succes and failures for the "audit account logon events" and "audit logon events' on the domain controllers?</P></BODY></HTML> Tue, 05 Apr 2011 12:51:03 GMT https://live.paloaltonetworks.com/t5/general-topics/user-agent-and-active-directory-2008/m-p/1839#M1365 mharding 2011-04-05T12:51:03Z https://live.paloaltonetworks.com/t5/general-topics/user-agent-and-active-directory-2008/m-p/1840#M1366 <HTML><HEAD></HEAD><BODY><P>No, not yet. We plan to do it with AD2008. We do not anderstand why some identification are missed now ( 2008 vs 2003 ).</P></BODY></HTML> Wed, 06 Apr 2011 02:59:54 GMT https://live.paloaltonetworks.com/t5/general-topics/user-agent-and-active-directory-2008/m-p/1840#M1366 bdaussin 2011-04-06T02:59:54Z https://live.paloaltonetworks.com/t5/general-topics/user-agent-and-active-directory-2008/m-p/1841#M1367 <HTML><HEAD></HEAD><BODY><P>The root cause of this issue starts becoming more accurate :</P><P>When an anonymous event comes from a user PC to the DC ( which has already been recognized by the AD agent ), here is the behaviour :</P><P>With DC2003, the AD agent get the field "sesi10_username" with an empty value, which has no effect on the Pan Agent.</P><P>With DC2008R2, the AD agent get the field "sesi10_username" with the value ANONYMOUS LOGON, which cause the PAN agent to overwrite the previous UserID-IP identification.</P><P></P><P>So, how to turn around this issue ? Is there a way on the agent to ignore ANONYMOUS LOGON ?</P><P></P><P>Thanks for your help.</P></BODY></HTML> Thu, 26 May 2011 15:50:18 GMT https://live.paloaltonetworks.com/t5/general-topics/user-agent-and-active-directory-2008/m-p/1841#M1367 bdaussin 2011-05-26T15:50:18Z https://live.paloaltonetworks.com/t5/general-topics/user-agent-and-active-directory-2008/m-p/1842#M1368 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>bdaussin wrote:</P><P></P><P>The root cause of this issue starts becoming more accurate :</P><P>When an anonymous event comes from a user PC to the DC ( which has already been recognized by the AD agent ), here is the behaviour :</P><P>With DC2003, the AD agent get the field "sesi10_username" with an empty value, which has no effect on the Pan Agent.</P><P>With DC2008R2, the AD agent get the field "sesi10_username" with the value ANONYMOUS LOGON, which cause the PAN agent to overwrite the previous UserID-IP identification.</P><P></P><P>So, how to turn around this issue ? Is there a way on the agent to ignore ANONYMOUS LOGON ?</P><P></P><P>Thanks for your help.</P></PRE><P></P><P>In the Palo Alto agent directory, create a file called "ignore_user_list.txt"</P><P></P><P>Add your "ANONYMOUS LOGON" to this file - you may need to put it in quotes, like I jsut did, as there is a space in the username.</P><P></P><P>See if this works.</P><P></P><P>Cheers!</P></BODY></HTML> Sun, 29 May 2011 23:18:37 GMT https://live.paloaltonetworks.com/t5/general-topics/user-agent-and-active-directory-2008/m-p/1842#M1368 dagibbs 2011-05-29T23:18:37Z https://live.paloaltonetworks.com/t5/general-topics/user-agent-and-active-directory-2008/m-p/1843#M1369 <HTML><HEAD></HEAD><BODY><P>Thanks for your advice and workaround. We set up this file on the AD agent, but it seems that it filters out all informations coming from the DC session table <img id="smileysad" class="emoticon emoticon-smileysad" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-sad.png" alt="Smiley Sad" title="Smiley Sad" /></P><P></P><P>We have opened a case to the support but it's quite long to get a usefull answer :smileyangry:</P><P></P><P>Thanks,</P></BODY></HTML> Tue, 07 Jun 2011 12:36:41 GMT https://live.paloaltonetworks.com/t5/general-topics/user-agent-and-active-directory-2008/m-p/1843#M1369 bdaussin 2011-06-07T12:36:41Z