https://live.paloaltonetworks.com/t5/general-topics/domain-joined-pcs-and-user-logoff-events/m-p/383471#M89962 <P>Hi all,</P><P>&nbsp;</P><P>I was reading in some of the documentation for User-ID to see if we can improve our security a bit.&nbsp; Basically, I'm currently setting User-ID logs to no timeout with the assumption that a new user login will generate a new one and override the old one.&nbsp; We've been doing this because a number of users leave their computers locked instead of logging off every day so relying on a timeout period means eventually losing access to things that are utilizing the user-based policies.</P><P>&nbsp;</P><P>The WinRM documentation from 9.0 appears to say it can be used to "<SPAN>map usernames from login and logout events to IP addresses" (<A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/user-id-features/winrm-support-for-server-monitoring.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/user-id-features/winrm-support-for-server-monitoring.html</A>) but everything I've found seems to indicate AD doesn't receive logoff events from the domain-joined PCs.&nbsp; Is this something that works on newer AD servers or is the documentation incorrect?</SPAN></P><P>&nbsp;</P><P><SPAN>If it is incorrect, I'm curious what others are doing to get logoff events?&nbsp; I could probably get the PCs to send something to a syslog server on a logoff event but I don't see any way in the syslog filter on the firewall to specific something as a logoff event vs a logon event unless the solution would just be to match the event, retrieve the IP, but put a regex for the user ID that would never match anything?</SPAN></P> Tue, 02 Feb 2021 18:16:34 GMT jsalmans 2021-02-02T18:16:34Z https://live.paloaltonetworks.com/t5/general-topics/domain-joined-pcs-and-user-logoff-events/m-p/383471#M89962 <P>Hi all,</P><P>&nbsp;</P><P>I was reading in some of the documentation for User-ID to see if we can improve our security a bit.&nbsp; Basically, I'm currently setting User-ID logs to no timeout with the assumption that a new user login will generate a new one and override the old one.&nbsp; We've been doing this because a number of users leave their computers locked instead of logging off every day so relying on a timeout period means eventually losing access to things that are utilizing the user-based policies.</P><P>&nbsp;</P><P>The WinRM documentation from 9.0 appears to say it can be used to "<SPAN>map usernames from login and logout events to IP addresses" (<A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/user-id-features/winrm-support-for-server-monitoring.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/user-id-features/winrm-support-for-server-monitoring.html</A>) but everything I've found seems to indicate AD doesn't receive logoff events from the domain-joined PCs.&nbsp; Is this something that works on newer AD servers or is the documentation incorrect?</SPAN></P><P>&nbsp;</P><P><SPAN>If it is incorrect, I'm curious what others are doing to get logoff events?&nbsp; I could probably get the PCs to send something to a syslog server on a logoff event but I don't see any way in the syslog filter on the firewall to specific something as a logoff event vs a logon event unless the solution would just be to match the event, retrieve the IP, but put a regex for the user ID that would never match anything?</SPAN></P> Tue, 02 Feb 2021 18:16:34 GMT https://live.paloaltonetworks.com/t5/general-topics/domain-joined-pcs-and-user-logoff-events/m-p/383471#M89962 jsalmans 2021-02-02T18:16:34Z https://live.paloaltonetworks.com/t5/general-topics/domain-joined-pcs-and-user-logoff-events/m-p/383501#M89967 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/39461">@jsalmans</a>,</P> <P>To the best of my knowledge you can't have logoff events clear user-id information automatically. When clients have needed this in the past I've scripted it so that a logoff triggers a script that simply uses the API to clear the user-id information for the IP address on clients.&nbsp;</P> Tue, 02 Feb 2021 20:41:12 GMT https://live.paloaltonetworks.com/t5/general-topics/domain-joined-pcs-and-user-logoff-events/m-p/383501#M89967 BPry 2021-02-02T20:41:12Z https://live.paloaltonetworks.com/t5/general-topics/domain-joined-pcs-and-user-logoff-events/m-p/383615#M89984 <P>I've not tried WinRM, but logoff events are higghly unreliable (closing your laptop lid is not a logoff, unplugging from the network isn't either. So I wouldn't rely on this mechanism at all</P><P>&nbsp;</P><P>In your first paragraph you mention you hav the timeout set to 'off' because you want the new user to overwrite the old user</P><P>these are two different mechanisms that are no mutually exclusive: you can timeout inactive users and new users will still overwite old accounts that have not timed out yet. I'd recommend always using the timeout (what if a new user 'roams' onto an abandoned IP with a user still logged on, the roaming user will not necessarily generate a logon even so will seamlessly take over the previous user's credentials)</P><P>&nbsp;</P><P>timeout is one of the most reliable logoff events <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> you could consider WMI probing , or internal GlobalPortect agents for more control over user's IP mapping</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 03 Feb 2021 11:22:45 GMT https://live.paloaltonetworks.com/t5/general-topics/domain-joined-pcs-and-user-logoff-events/m-p/383615#M89984 reaper 2021-02-03T11:22:45Z