topic Re: user if agent and switching between ids in General Topics

user if agent and switching between ids

MP18 — Mon, 29 Oct 2018 23:20:20 GMT

we have configured rules with group mapping using LDAP.

We have one user where he switch between user ids and when he trieds to login to server with user id not allowed in list he gets

denied.

should he log off and log on as best practice when he switch between user ids?

Re: user if agent and switching between ids

Remo — Mon, 29 Oct 2018 23:53:49 GMT

Does this user normally works with his default user but needs to use another one for task that require administrative privileges and the user-ids are switching between these two? Or uses scripts that run as another user, maybe a service account?

Re: user if agent and switching between ids

MP18 — Tue, 30 Oct 2018 01:19:49 GMT

works fine with default user account but user need to access some apps for that he has to login to those apps with different user id.

And thats what causes the problem.

Domain is same for both the default user account and other apps.

Re: user if agent and switching between ids

Raido_Rattameister — Tue, 30 Oct 2018 03:11:16 GMT

Try to add user to run apps with into ignore list.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClklCAC

Re: user if agent and switching between ids

JW6224 — Tue, 30 Oct 2018 12:43:39 GMT

So your scenario, if I understand it, is that you have a user using "switch user" in Windows to switch between sessions? And after he switches to a new session, he can no longer access what he wants to on the network, because the user account that he switched to doesn't meet your rule User-ID criteria?

That sort of sounds like it is working as intended, or else you need to add the account that he's switching to into the rule User-ID criteria. Adding the user account that he's switching to into the user-ignore-list.txt would prevent that account from being "learned" by the Palo Alto - ever. Not just on this machine...any time that account is used, it will not be learned by your firewall.

In the background, the user-ID agent is monitoring the authentication logs from your domain controllers. When the user switches, a successful authentication event is recorded on your DCs. The User-ID agent sees that log entry, notes the IP address and the user account, and then updates the firewall with the second user in the IP-to-User-mappings. This is now how your firewall will evaluate that IP address - with the new user account. Switching back to your original user should over-write that entry, because another authentication event takes place. And this is why adding the user to the ignore list will work - your authentication event for your second account will never get recorded by the user-id agent/updated in the IP-to-User-mappings in the firewall.

One other option is to deploy a global protect agent to authenticate to an internal (no tunnel) gateway on your firewalls, just to learn the user ID's.

Re: user if agent and switching between ids

MP18 — Wed, 31 Oct 2018 03:38:13 GMT

Thanks everyone for answering the questions