https://live.paloaltonetworks.com/t5/general-topics/global-protect-not-passing-last-login-information/m-p/12540#M9189 <HTML><HEAD></HEAD><BODY><P>The issue is with AD in the fact the Palo Alto's are only using "simple bind" with the LDAP lookup.&nbsp; From what I found the AD should use lastlogonTimeStamp instead of lastlogon for "simple bind."&nbsp; However it appears it is still not accurate.&nbsp; Showed a user last logged on 7 days ago, but the are currently logged on.</P></BODY></HTML> Thu, 18 Sep 2014 13:51:43 GMT rgreens 2014-09-18T13:51:43Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-not-passing-last-login-information/m-p/12533#M9182 <HTML><HEAD></HEAD><BODY><P>We have a few vendors who have AD accounts, but only connect to Global Protect to SSH to specific servers.&nbsp; They don't use any other domain resources.&nbsp; When we look in the domain controllers there is no last login information.&nbsp; So our policy to disable unused accounts after 21 days keeps disabling active accounts.</P><P></P><P>Anyone know how to get it to pass this information?</P><P></P><P>Thank you,</P><P><BR />Randy</P></BODY></HTML> Thu, 11 Sep 2014 13:34:06 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-not-passing-last-login-information/m-p/12533#M9182 rgreens 2014-09-11T13:34:06Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-not-passing-last-login-information/m-p/12534#M9183 <HTML><HEAD></HEAD><BODY><P>Hi Randy,</P><P></P><P>I am rephrasing the question, correct me if I am wrong.</P><P></P><P>Question : How to find out unused GP users for last 21 days?</P><P></P><P>If that is the question, you can not readily pull out that information from Firewall.</P><P></P><P>However, system logs have information about GP user login/logout activity. You should forward it to syslog server. And do the analysis from login/logout logs.</P><P></P><P>Let me know if that helps.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Thu, 11 Sep 2014 13:38:07 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-not-passing-last-login-information/m-p/12534#M9183 hshah 2014-09-11T13:38:07Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-not-passing-last-login-information/m-p/12535#M9184 <HTML><HEAD></HEAD><BODY><P>I think he means; how can a user logging into Global Protect cause the last-logged-in timestamp held in Active Directory to be updated.</P></BODY></HTML> Thu, 11 Sep 2014 13:43:40 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-not-passing-last-login-information/m-p/12535#M9184 ajbool 2014-09-11T13:43:40Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-not-passing-last-login-information/m-p/12536#M9185 <HTML><HEAD></HEAD><BODY><P>ajbool, correct.&nbsp; I can see in the Palo Alto the last login for Global Protect, but in the Domain Controllers in doesn't update the last login information.</P></BODY></HTML> Thu, 11 Sep 2014 13:45:03 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-not-passing-last-login-information/m-p/12536#M9185 rgreens 2014-09-11T13:45:03Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-not-passing-last-login-information/m-p/12537#M9186 <HTML><HEAD></HEAD><BODY><P>Hi Ajbool,</P><P></P><P>When user tries to login, firewall sends credentials to AD for verification. So, AD should have that log in security logs.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Thu, 11 Sep 2014 13:45:30 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-not-passing-last-login-information/m-p/12537#M9186 hshah 2014-09-11T13:45:30Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-not-passing-last-login-information/m-p/12538#M9187 <HTML><HEAD></HEAD><BODY><P>Hello Rgreens,</P><P></P><P>This appears to be AD log issue, try to deep dive into security logs of AD. </P><P></P><P>I dont think there is any issue with firewall, if user is authenticated than firewall must have forwarded request to AD.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Thu, 11 Sep 2014 13:46:58 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-not-passing-last-login-information/m-p/12538#M9187 hshah 2014-09-11T13:46:58Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-not-passing-last-login-information/m-p/12539#M9188 <HTML><HEAD></HEAD><BODY><P>just check AD settings for logging that.</P><P>Not a firewall issue.</P></BODY></HTML> Fri, 12 Sep 2014 06:20:59 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-not-passing-last-login-information/m-p/12539#M9188 Retired Member 2014-09-12T06:20:59Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-not-passing-last-login-information/m-p/12540#M9189 <HTML><HEAD></HEAD><BODY><P>The issue is with AD in the fact the Palo Alto's are only using "simple bind" with the LDAP lookup.&nbsp; From what I found the AD should use lastlogonTimeStamp instead of lastlogon for "simple bind."&nbsp; However it appears it is still not accurate.&nbsp; Showed a user last logged on 7 days ago, but the are currently logged on.</P></BODY></HTML> Thu, 18 Sep 2014 13:51:43 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-not-passing-last-login-information/m-p/12540#M9189 rgreens 2014-09-18T13:51:43Z