User ip mapping with only Global Protect

robinheylen — Thu, 29 Aug 2013 12:00:49 GMT

Hi all,

i have a question regarding user ip mapping when only using Global Protect to authenticate users.

Without enabling any user-id agent. Neither external on a server, neither on the firewall.

It works as Global Protect identifies the logged-on user and uses this information to notify the firewall to place an user-ip mapping.

But I have tested the follow scenario:

User A is logged on onto the network with ip x.x.x.x and authenticated by Global Protect.

He pulls out the network cable, as on that moment user B connects to the same network with the same ip x.x.x.x

User B has takeover the rights of user A.

This looks like a major securitybug.

Why doesn't Global Protect sets up a concurrent SSL connection to the Portal with a heartbeat, so the Firewall is sure that user A is still the same user?

When the SSL connection is broken, the firewall could remove the user-ip mapping.

This is kind the way Juniper IC works, but obviously Palo Alto doesn't.

Is there an other secure way to maintain user-ip mapping and to be sure there could not be any takover of ip addresses without the use of Active Directory Log reading with an user-id agent (so only with Global Protect)?

Best regards

Re: User ip mapping with only Global Protect

Gregoux — Tue, 05 Nov 2013 10:13:42 GMT

I'm interresting in for this kind surrogate identication. I would like to know if paloalto does something on this topic

regard's

Re: User ip mapping with only Global Protect

Gregoux — Tue, 05 Nov 2013 10:24:58 GMT

Hi did you have a look to this documentation:

https://live.paloaltonetworks.com/docs/DOC-4820

this explain you how to modify the ttl for the idle session. if you decrease that it could be minimize the problem.

topic Re: User ip mapping with only Global Protect in General Topics

User ip mapping with only Global Protect

Re: User ip mapping with only Global Protect

Re: User ip mapping with only Global Protect