https://live.paloaltonetworks.com/t5/general-topics/mac-osx-userid/m-p/42560#M31252 <HTML><HEAD></HEAD><BODY><P>I have a question. Maybe someone has run across this.</P><P>I am using the server monitoring function of Palo</P><P>I realize that I can use the user-ID agent and set it to never forget the user mapping, but I am looking for a more accurate way of keeping this mapping.</P><P></P><P>We have mac's that authenticate to a win 2008 domain. Initially I get the user to ip mapping, after the Palo cache expires the mapping is lost. Mac's do not auto update the cache.</P><P>My windows machines work normally, The initial mapping is correct and if I use any network resources the user mapping gets updated in Palo.</P><P></P><P>Any idea's, suggestions, etc</P><P></P><P>-Joe</P></BODY></HTML> Mon, 17 Jun 2013 14:53:08 GMT Joe_Uriarte 2013-06-17T14:53:08Z https://live.paloaltonetworks.com/t5/general-topics/mac-osx-userid/m-p/42560#M31252 <HTML><HEAD></HEAD><BODY><P>I have a question. Maybe someone has run across this.</P><P>I am using the server monitoring function of Palo</P><P>I realize that I can use the user-ID agent and set it to never forget the user mapping, but I am looking for a more accurate way of keeping this mapping.</P><P></P><P>We have mac's that authenticate to a win 2008 domain. Initially I get the user to ip mapping, after the Palo cache expires the mapping is lost. Mac's do not auto update the cache.</P><P>My windows machines work normally, The initial mapping is correct and if I use any network resources the user mapping gets updated in Palo.</P><P></P><P>Any idea's, suggestions, etc</P><P></P><P>-Joe</P></BODY></HTML> Mon, 17 Jun 2013 14:53:08 GMT https://live.paloaltonetworks.com/t5/general-topics/mac-osx-userid/m-p/42560#M31252 Joe_Uriarte 2013-06-17T14:53:08Z https://live.paloaltonetworks.com/t5/general-topics/mac-osx-userid/m-p/42561#M31253 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>When you are using windows machine in AD, you open a session and then after that, periodically, your session is renewed in the AD.</P><P>The palo is polling your security event and see, ever you new session and your renew then update is local cahe then you stay authenticated.</P><P></P><P>In Mac world, not sure but , you open a session in AD then generate event then be authen in the palo. After couple of minutes, maybe your Mac doon't ask for session renew then no event in the AD then your authenti expire in the palo.. If you try to access a network ressource, in background you are authenticate again in the domain then you are known by the palo.</P><P></P><P>To be sure, you can check the event in your AD:</P><P></P><P><SPAN style="text-decoration: underline;">Windows 2000/2003:</SPAN></P><P> SUCCESS_NET_LOGON = 540,</P><P>AUTH_TICKET_GRANTED = 672,</P><P>SERVICE_TICKET_GRANTED = 673,</P><P>TICKET_GRANTED_RENEW = 674,</P><P>ACCOUNT_USED_FOR_LOGON = 680,</P><P></P><P><SPAN style="text-decoration: underline;">Windows 2008:</SPAN></P><P>LOGON_SUCCESS_W2008 = 4624,</P><P>AUTH_TICKET_GRANTED_W2008 = 4768,</P><P>TICKET_GRANTED_RENEW_W2008 = 4770,</P><P>ACCOUNT_USED_FOR_LOGON_W2008 = 4776,</P><P></P><P>Hope help</P><P></P><P>V. </P></BODY></HTML> Mon, 17 Jun 2013 17:06:56 GMT https://live.paloaltonetworks.com/t5/general-topics/mac-osx-userid/m-p/42561#M31253 VinceM 2013-06-17T17:06:56Z https://live.paloaltonetworks.com/t5/general-topics/mac-osx-userid/m-p/42562#M31254 <HTML><HEAD></HEAD><BODY><P>I agree that is whats happening, except when I use a network resource with the mac, it never creates a new security log.</P><P>The resource (mapped share, printer, etc) do work on the mac, but i do not see any security logs being renewed..</P><P></P><P>I did a custom filter on AD log for the mentioned ID events</P><P></P><P>-Joe</P></BODY></HTML> Mon, 17 Jun 2013 17:57:42 GMT https://live.paloaltonetworks.com/t5/general-topics/mac-osx-userid/m-p/42562#M31254 Joe_Uriarte 2013-06-17T17:57:42Z https://live.paloaltonetworks.com/t5/general-topics/mac-osx-userid/m-p/42563#M31255 <HTML><HEAD></HEAD><BODY><P>If you access to a windows share (part of domain) for sure, you need authentication.</P><P>Try to ad your file server as server in the User-ID client. </P><P>I know that the user-ID is able to minotor AD / Exchnage / File server then try that.</P><P></P><P>V.</P></BODY></HTML> Tue, 18 Jun 2013 18:09:03 GMT https://live.paloaltonetworks.com/t5/general-topics/mac-osx-userid/m-p/42563#M31255 VinceM 2013-06-18T18:09:03Z https://live.paloaltonetworks.com/t5/general-topics/mac-osx-userid/m-p/42564#M31256 <HTML><HEAD></HEAD><BODY><P>Great idea, after an initial check this might just work. I was only monitoring my domain controllers. I do see more activity on the specific server for logon request coming from my mac.I will update this tomorrow.... <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Tue, 18 Jun 2013 18:41:23 GMT https://live.paloaltonetworks.com/t5/general-topics/mac-osx-userid/m-p/42564#M31256 Joe_Uriarte 2013-06-18T18:41:23Z https://live.paloaltonetworks.com/t5/general-topics/mac-osx-userid/m-p/42565#M31257 <HTML><HEAD></HEAD><BODY><P>Sorry about the delay int getting back to you Vince, been getting slammed here.</P><P>It looks like monitoring the servers did the trick. Thanks for the suggestion.</P><P></P><P>Cheers </P><P>-Joe</P></BODY></HTML> Mon, 24 Jun 2013 12:33:03 GMT https://live.paloaltonetworks.com/t5/general-topics/mac-osx-userid/m-p/42565#M31257 Joe_Uriarte 2013-06-24T12:33:03Z