https://live.paloaltonetworks.com/t5/general-topics/user-id-event-generation/m-p/46791#M34395 <HTML><HEAD></HEAD><BODY><P>I have a question about the events used to map users to IP's in the firewall.</P><P></P><P>According to documentation, the PA uses three event ID's to map users to IPs: 4768, 4769, 4770.</P><P></P><P>The question I have is this:</P><P></P><P>If a user (say his username is bsmith) is an IT administrator, and also has a username of bsmithadmin with administrative rights (he may use this account to map to admin shares, etc...).&nbsp; If the user uses his admin account from his workstation to map shares or authenticate with servers, won't it generate an event ID 4769?&nbsp; In doing research, I found documentation that says a 4769 is generated when users access servers or resources on the network. </P><P></P><P>Wouldn't that cause the PA to map the admin account to the workstation IP instead of his regular user account, thus messing with the policies applied to him?</P><P></P><P>Is there a way to change which events trigger an update in the PA, and say only read event id 4768's that indicate a successful login?</P></BODY></HTML> Mon, 07 Nov 2011 16:51:47 GMT bbrassart 2011-11-07T16:51:47Z https://live.paloaltonetworks.com/t5/general-topics/user-id-event-generation/m-p/46791#M34395 <HTML><HEAD></HEAD><BODY><P>I have a question about the events used to map users to IP's in the firewall.</P><P></P><P>According to documentation, the PA uses three event ID's to map users to IPs: 4768, 4769, 4770.</P><P></P><P>The question I have is this:</P><P></P><P>If a user (say his username is bsmith) is an IT administrator, and also has a username of bsmithadmin with administrative rights (he may use this account to map to admin shares, etc...).&nbsp; If the user uses his admin account from his workstation to map shares or authenticate with servers, won't it generate an event ID 4769?&nbsp; In doing research, I found documentation that says a 4769 is generated when users access servers or resources on the network. </P><P></P><P>Wouldn't that cause the PA to map the admin account to the workstation IP instead of his regular user account, thus messing with the policies applied to him?</P><P></P><P>Is there a way to change which events trigger an update in the PA, and say only read event id 4768's that indicate a successful login?</P></BODY></HTML> Mon, 07 Nov 2011 16:51:47 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-event-generation/m-p/46791#M34395 bbrassart 2011-11-07T16:51:47Z https://live.paloaltonetworks.com/t5/general-topics/user-id-event-generation/m-p/46792#M34396 <HTML><HEAD></HEAD><BODY><P>@bbrassart:</P><P></P><P>Your understanding of the situation is valid. The Pan Agent will pick up the username for the admin user when the fileshares are mapped.</P><P></P><P>At the present time the user identification agents do not support exclusion of event IDs.</P><P></P><P>If you would like to see this feature implemented please get in touch with your sales team.</P><P></P><P>Another option would be to set up an ignore-user list that includes the bsmithadmin user. This will keep the Pan Agent from mapping any event IDs associated with bsmithadmin.</P><P></P><P>-Benjamin</P></BODY></HTML> Mon, 07 Nov 2011 23:23:26 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-event-generation/m-p/46792#M34396 bpappas 2011-11-07T23:23:26Z