https://live.paloaltonetworks.com/t5/general-topics/user-id-not-detecting-logged-off-users/m-p/45628#M33527 <HTML><HEAD></HEAD><BODY><P>Hmm because I have noticed that my ts-agents gets disconnected by the PAN unit after approx 2h50m which makes the logs be incorrect regarding userinformation or completely empty regarding which user made which session (since the PAN-unit still believes its "connected, ok" with "show ts-agent statistics" while each ts-agent on the terminalservers along with "netstat -an | find "5009"" verifies that the PAN-unit is no longer connected).</P><P></P><P>Today I setup a custom app id (to make sure there is no session inactivity going on by setting sessions timeout to "0" for my custom app) and than an application override to make sure my "custom-ts-agent" was being used for the traffic and then verified with traffic log (logging set to both start and end). But it still got disconnected after approx 2h50m...</P><P></P><P>By the way, how come the ts-agent doesnt have an official appid? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>paloalto-userid-agent exists but not paloalto-ts-agent?</P></BODY></HTML> Mon, 01 Mar 2010 18:32:10 GMT rps 2010-03-01T18:32:10Z https://live.paloaltonetworks.com/t5/general-topics/user-id-not-detecting-logged-off-users/m-p/45622#M33521 <HTML><HEAD></HEAD><BODY><P>I have the User-ID agent configured and working nicely, however I just noticed a few entries in the URL logs showing for the domain user who last logged on to one of our PC's when I know that the PC is currently logged on using a local account rather than a domain account.</P><P></P><P>I guess I've missed something?</P></BODY></HTML> Sat, 20 Feb 2010 12:51:50 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-not-detecting-logged-off-users/m-p/45622#M33521 networkadmin 2010-02-20T12:51:50Z https://live.paloaltonetworks.com/t5/general-topics/user-id-not-detecting-logged-off-users/m-p/45623#M33522 <HTML><HEAD></HEAD><BODY><P>The PAN Agent learns from the AD security log when a user logs in, and it won't detect when a user has logged out until a new security log file is received. Enabling NetBios probes will more quickly verify changes to logged in users. There is also a configurable "Age-out" timer option in the PAN Agent which determines how long entries in the IP to username cache are valid. The default is 45 minutes. </P><P></P><P>Nancy Rice </P><P>Technical Support</P><P>Palo Alto Networks</P><P>1-866-898-9087</P></BODY></HTML> Tue, 23 Feb 2010 00:07:09 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-not-detecting-logged-off-users/m-p/45623#M33522 nrice 2010-02-23T00:07:09Z https://live.paloaltonetworks.com/t5/general-topics/user-id-not-detecting-logged-off-users/m-p/45624#M33523 <HTML><HEAD></HEAD><BODY><P>Does the same apply to ts-agent that it have to be used together with pan-agent to make sure to not have incorrect logs (I mean logs that claims that a particular user did something but the user is no longer logged in to the terminalservers)?</P><P></P><P>Or how are logged out users handled in that case (does ts-agent somehow notify the PA unit that the user is no longer logged in)?</P></BODY></HTML> Fri, 26 Feb 2010 15:56:44 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-not-detecting-logged-off-users/m-p/45624#M33523 rps 2010-02-26T15:56:44Z https://live.paloaltonetworks.com/t5/general-topics/user-id-not-detecting-logged-off-users/m-p/45625#M33524 <HTML><HEAD></HEAD><BODY><P>The PAN device will correlate the user information learned from the TS-Agent and the group information learned from the Pan-Agent. This is important if you are applying domain-group based security policies.</P><P></P><P>Regarding the second part of the question, yes the TS-Agent adds and removes users as they log in and off from the terminal server. You can issue the command below 'show ts-agent user-IDs' to display a listing of the corrently logged in users learned from the TS-Agent.</P><P></P><P>To view the status of the configured TS-Agents and the currently logged in users learned from the TS-Agent, the following commands can be used to display the information:</P><P></P><P>Display the current connection status of the TS-Agent</P><P></P><P>admin@PAN&gt;show ts-agent statistics</P><P></P><P>Display the list of currently logged in users learned from the TS-Agent</P><P></P><P>admin@PAN&gt;show ts-agent user-IDs</P></BODY></HTML> Sun, 28 Feb 2010 20:09:11 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-not-detecting-logged-off-users/m-p/45625#M33524 pantac 2010-02-28T20:09:11Z https://live.paloaltonetworks.com/t5/general-topics/user-id-not-detecting-logged-off-users/m-p/45626#M33525 <HTML><HEAD></HEAD><BODY><P>Perhaps this is a bit off-topic (if so please move this question to a new thread <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> but from the PAN device point of view does it matter if the ts-agents are accessible through the MGT interface or through a dataplane interface (redirected by the service route configuration along with a policy allowing the tcp-5009 traffic or whatever port you have configured the ts-agents to run at)?</P><P></P><P>Im thinking if dataplane is used perhaps some session ttl will screw up the communication between the PAN device and the ts-agents or so?</P><P></P><P>Because when using off-band management the MGT interface will be connected to a management-network while the terminalservers (where the ts-agents exists on) will be accessible through one of the dataplane interfaces.</P></BODY></HTML> Sun, 28 Feb 2010 21:36:47 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-not-detecting-logged-off-users/m-p/45626#M33525 rps 2010-02-28T21:36:47Z https://live.paloaltonetworks.com/t5/general-topics/user-id-not-detecting-logged-off-users/m-p/45627#M33526 <HTML><HEAD></HEAD><BODY><P>The interface used for the connection should not matter.</P><P></P><P>Mike</P></BODY></HTML> Mon, 01 Mar 2010 16:36:09 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-not-detecting-logged-off-users/m-p/45627#M33526 mjacobsen 2010-03-01T16:36:09Z https://live.paloaltonetworks.com/t5/general-topics/user-id-not-detecting-logged-off-users/m-p/45628#M33527 <HTML><HEAD></HEAD><BODY><P>Hmm because I have noticed that my ts-agents gets disconnected by the PAN unit after approx 2h50m which makes the logs be incorrect regarding userinformation or completely empty regarding which user made which session (since the PAN-unit still believes its "connected, ok" with "show ts-agent statistics" while each ts-agent on the terminalservers along with "netstat -an | find "5009"" verifies that the PAN-unit is no longer connected).</P><P></P><P>Today I setup a custom app id (to make sure there is no session inactivity going on by setting sessions timeout to "0" for my custom app) and than an application override to make sure my "custom-ts-agent" was being used for the traffic and then verified with traffic log (logging set to both start and end). But it still got disconnected after approx 2h50m...</P><P></P><P>By the way, how come the ts-agent doesnt have an official appid? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>paloalto-userid-agent exists but not paloalto-ts-agent?</P></BODY></HTML> Mon, 01 Mar 2010 18:32:10 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-not-detecting-logged-off-users/m-p/45628#M33527 rps 2010-03-01T18:32:10Z https://live.paloaltonetworks.com/t5/general-topics/user-id-not-detecting-logged-off-users/m-p/45629#M33528 <HTML><HEAD></HEAD><BODY><P>We would need to take a look at the ts-agent logs to see if we can determine why it is disconnecting. You can upload them here or send them in to support and we can investigate.</P><P></P><P>On the App-ID front, we can take a look at this.</P><P></P><P>Mike</P></BODY></HTML> Mon, 01 Mar 2010 20:59:39 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-not-detecting-logged-off-users/m-p/45629#M33528 mjacobsen 2010-03-01T20:59:39Z