https://live.paloaltonetworks.com/t5/general-topics/panagents-and-active-directory-sub-domains/m-p/50377#M37085 <HTML><HEAD></HEAD><BODY><P>Update- 4.1 does address this. I upgraded earlier this week, and there appears to be a positive impact. Not only can I manage the multiple domains, I can also point to Exchange servers for authentication.</P><P>Thanks for the fixes!</P></BODY></HTML> Thu, 17 Nov 2011 16:22:00 GMT cloughr 2011-11-17T16:22:00Z https://live.paloaltonetworks.com/t5/general-topics/panagents-and-active-directory-sub-domains/m-p/50374#M37082 <HTML><HEAD></HEAD><BODY><P>We have an Active Directory domain with a sub domain- bar.org and foo.bar.org. We have 4 panagent servers, 2 dedicated to each. Our problem is that when user A.bar.org logs on, PA sometimes identifies him as user B.foo.bar.org,&nbsp; with the same IP address.</P><P></P><P>I can re-create this problem by logging onto a machine first as a member of bar.org, then foo.bar.org. I suspect multiple logons to a single machine, plus short IP lease times are the issue. Is there a solution for this?</P></BODY></HTML> Mon, 07 Nov 2011 19:13:05 GMT https://live.paloaltonetworks.com/t5/general-topics/panagents-and-active-directory-sub-domains/m-p/50374#M37082 cloughr 2011-11-07T19:13:05Z https://live.paloaltonetworks.com/t5/general-topics/panagents-and-active-directory-sub-domains/m-p/50375#M37083 <HTML><HEAD></HEAD><BODY><P>this is a current design limitation since windows does not create a log off event for us to monitor. I assume you have a pan agent for every domain since currently the pan agent can only monitor a single domain. </P><P></P><P>the reason you are running into this issue is that pan agent (bar.org) and pan agent (foo.bar.org) will retain the user to ip mapping even though the user has logged off that machine. </P><P></P><P>one work around for this is if the machines allowing WMI probing. you can enable WMI probing on the palo alto device and also lower the age-out timeout. but that can not be lower the the netbios probing timer which is also the timer for wmi. </P><P></P><P>note: you do not want this it o be to aggressive since you will be forcing the mapping to be deleted from pan agent. </P><P></P><P>I need to verify but i believe we made some enhancements for this in 4.1 which you can use a single agent for multiple domains. </P></BODY></HTML> Wed, 09 Nov 2011 04:59:25 GMT https://live.paloaltonetworks.com/t5/general-topics/panagents-and-active-directory-sub-domains/m-p/50375#M37083 jnguyen 2011-11-09T04:59:25Z https://live.paloaltonetworks.com/t5/general-topics/panagents-and-active-directory-sub-domains/m-p/50376#M37084 <HTML><HEAD></HEAD><BODY><P>Thanks, that's very helpful. We do have a panagent for each domain, but we don't currently use WMI probing. I don't believe WMI or NETBIOS is enabled on our clients, but it could be for some.</P><P>I will upgrade to 4.1 and monitor, then try your suggestions.</P></BODY></HTML> Wed, 09 Nov 2011 12:48:21 GMT https://live.paloaltonetworks.com/t5/general-topics/panagents-and-active-directory-sub-domains/m-p/50376#M37084 cloughr 2011-11-09T12:48:21Z https://live.paloaltonetworks.com/t5/general-topics/panagents-and-active-directory-sub-domains/m-p/50377#M37085 <HTML><HEAD></HEAD><BODY><P>Update- 4.1 does address this. I upgraded earlier this week, and there appears to be a positive impact. Not only can I manage the multiple domains, I can also point to Exchange servers for authentication.</P><P>Thanks for the fixes!</P></BODY></HTML> Thu, 17 Nov 2011 16:22:00 GMT https://live.paloaltonetworks.com/t5/general-topics/panagents-and-active-directory-sub-domains/m-p/50377#M37085 cloughr 2011-11-17T16:22:00Z