PaloAlto integrate with AD

Ovan — Mon, 22 Mar 2010 04:22:16 GMT

When I configured authentication on PaloAlto I met the problem:

I tested authentication on PaloAlto:

- 1 Domain Server: installed PAN Agent

- 2 pc join domain

- Create some accounts: user1, user2, user3

1> I logon with domain user (user1), I can access Internet and in Monitor Tab I can see my pc had been authenticated (user_domain.png)

2> I logout and login again with local user (cloud), I still can access Internet (user_Local.png) although I set policy deny all except user1, user2 (policy.png)

3> If I changed IP Address from 172.16.1.71 to 172.16.1.76, I couldn’t access Internet but If I changed IP Address to 172.16.1.71, I still access Internet.

- I want only domain user can access Internet but local user, PaloAlto can do or not?

- I think PaloAlto cached the IP Address to define Account Domain so when I logon with local user with old IP Address, I still access Internet. If I right, how long PaloAlto will clear cache? Can I change the time to clear?

- I used PC1 to access Internet with user1 but I still could used PC2 to access Internet with user1. PC1 and PC2 could access Internet in the same time with the same user. Can I configure PaloAlto allow only one user to access Internet?

Re: PaloAlto integrate with AD

nrice — Thu, 25 Mar 2010 01:40:30 GMT

The PANAgent is looking for users logged into the domain and won't detect if a user is changed to "local." As long as that IP remains active, the PANAgent thinks the original domain user is logged in. Even when using Netbios probing, the original domain login is chached (even if actually logged out) on the workstation and the Panagent will continue to see the original domain login. 3.1 may be an option for you as it will allow you to use WMI instead of Netbios and user activity will be correctly read.

topic PaloAlto integrate with AD in General Topics

PaloAlto integrate with AD

Re: PaloAlto integrate with AD