topic Re: Wrong user from access log in General Topics

Wrong user from access log

BethSouza — Wed, 07 Nov 2018 10:50:15 GMT

Hello!

The local user Administrator is logged in on the desktop and he is not allowed to access the internet. But he can access.

When checking in Monitor on PA220, I noticed that another user appears in the Source User column and not the Administrator user.

Has anyone ever experienced this?

Software version 8.0.10

Thank you!

Re: Wrong user from access log

Mick_Ball — Wed, 07 Nov 2018 11:04:59 GMT

the local admin account probably has nothing to do with AD so your your user ID is still seeing the account that last registered with your AD server.

Re: Wrong user from access log

BethSouza — Wed, 07 Nov 2018 11:08:23 GMT

Ok... but, do you know how we can solve this issue?

Thank you!

Re: Wrong user from access log

Mick_Ball — Wed, 07 Nov 2018 11:16:34 GMT

ooh... good point... not sure... I'm sure someone will jump in and advise..

to confirm..

are you using AD for user-ID.

Re: Wrong user from access log

BethSouza — Wed, 07 Nov 2018 11:17:49 GMT

Yes... I am using AD server.

So, let´s wait...

Thanks

Re: Wrong user from access log

Mick_Ball — Wed, 07 Nov 2018 11:27:33 GMT

Have you tried this approach...

•Device > User Identification> User Mapping > Palo Alto Networks User-ID Agent Setup > Client Probing

You can configure the User-ID agent to perform WMI client probing for each client system that the user mapping process identifies. The User-ID agent will periodically probe each learned IP address to verify that the same user is still logged in. When the firewall encounters an IP address for which it has no user mapping, it sends the address to the User-ID agent for an immediate probe. To configure client probing settings, complete the following fields.

Re: Wrong user from access log

Mick_Ball — Wed, 07 Nov 2018 11:28:09 GMT

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/user-identification/device-user-identification-user-mapping/enable-client-probing

Re: Wrong user from access log

BethSouza — Wed, 07 Nov 2018 11:37:18 GMT

This option is enabled...

Re: Wrong user from access log

BPry — Wed, 07 Nov 2018 21:52:43 GMT

@BethSouza,

You'll never get local admin accounts to actually show up as a user-id, unless you poll the machine in question which would be a really odd configuration. WMI client probing can help in this case, but your user-id configuration will ignore the user unless specifically set to allow it.

Best solution, admin accounts should be AD users that are granted administrative rights on the machine. If you are going to use local-user accounts for administrative purposes you'll have to grant at least basic tcp/80 and tcp/443 access for any unknown-user in your environement and just be sure to log it to fit in with your security needs.

Re: Wrong user from access log

BethSouza — Thu, 08 Nov 2018 13:02:50 GMT

Hello Bpry,

we do not want local users to have access to the internet. The local administrator was able to access the internet by chance and we were surprised when we checked the PA220 log.

I think the problem is when the PA220 looks in the Domain Controller Audit log for the validation of the user who is logged into the machine. Because the local machine administrator is not registered in the Domain Controller Audit log, it takes the last user record that logged on the machine.

Thank you!

Re: Wrong user from access log

BPry — Thu, 08 Nov 2018 14:16:44 GMT

@BethSouza,

Correct; which is why WMI probing isn't going to help you here, as the firewall sees the old user-mapping and has no reason to immedately trigger a probe. You could potentially get around this by decreasing your timeout value, which still wouldn't eleviate the issue but would probably fit what you are aiming to do better than what you have already.

Re: Wrong user from access log

BethSouza — Thu, 08 Nov 2018 18:06:08 GMT

@BPry,

unfortunately it did not work.

Thank you.

Re: Wrong user from access log

BethSouza — Fri, 09 Nov 2018 17:11:46 GMT

Hello @BPry,

I logged with user "educlocal" (he doesn't has internet access and he is a local user in Windows 10.).

But he is accessing internet.

Here is the log showing the user showing by PA when local user "educlocal" access the internet.

this is one of my issue.

Thank you!

Re: Wrong user from access log

BPry — Fri, 09 Nov 2018 17:22:55 GMT

@BethSouza,

Just because a new user logs in doesn't mean the user-id information on the firewall will automatically clear, the firewall has 0 knowledge of this event if you're just reading AD logs. Depending on a number of different configuration options ( WMI Probing Interval, User Identification Timeout Value) the mapping will stay present until it is removed or updated.

So if I'm logged into a machine with 'DOMAIN\bpry' as my user-id and then log in with a local admin account, the firewall doesn't have any idea that this local-account was ever used. To account for this either the probe interval can be increased if using WMI, or the identication timeout value can be decreased. Each option has downsides:

WMI Probing:

- Some find it difficult to setup

- Setting a short WMI Probe interval will cause a large amount of network traffic to all devices.

User Identifcation Timeout:

- Depending on the source of the user-id logs a short timeout value isn't possible if you wish to maintain user-id mappings.

- Setting an artifically high value can also cause issues.

When you're using local accounts there isn't a good way to solve the issue that you are running into. You simply aren't providing the firewall with the required information to update the user-id mapping. This means that regardless of what you do, there is the possibility that for a certain period of time the old user-id mapping will stay active when you log in with a local account.

To properly fix this you need to get rid of local accounts; there isn't another way to get around this issue.

Re: Wrong user from access log

Mick_Ball — Fri, 09 Nov 2018 17:26:05 GMT

could you not run a script on local group policy that mapped a network drive to an AD share with username

vdn_senac_educ\restricted.user

this would then update User-ID to a user that would be denied internet access...

a bit heath robinson but workable...

I favour the banning of local user accounts...

Re: Wrong user from access log

BPry — Fri, 09 Nov 2018 17:28:55 GMT

@Mick_Ball,

Hacky work around, but it would sure work!

Re: Wrong user from access log

BethSouza — Fri, 09 Nov 2018 17:41:37 GMT

@BPry,

So, I have to think how to get rid of local account like administrator account.

Thank you.

Re: Wrong user from access log

Mick_Ball — Fri, 09 Nov 2018 17:49:21 GMT

not get rid of it.... just dont give the password out!

who is using the local admin account and why do they need to use the local admin account?

Re: Wrong user from access log

BethSouza — Fri, 09 Nov 2018 17:57:13 GMT

@Mick_Ball,

The support team you use the local administrator account to do local maintenance.

Thank you.

Re: Wrong user from access log

BPry — Fri, 09 Nov 2018 18:02:37 GMT

@BethSouza,

Ya that's not really required at all if your environment is setup to current enterprise standards. For example each of our machines have a local admin account, but the password is controlled by LAPS and nobody logs into the account for anything. Administration of the machine is done through an AD account granted admin rights to all domain-joined computers. There really isn't any need to do this with a local account, and it deffinetly doesn't follow best-practice for Windows administration.