https://live.paloaltonetworks.com/t5/general-topics/user-information-in-firewall-database-cache/m-p/12839#M9411 <HTML><HEAD></HEAD><BODY><P>It sounds like the Captive Portal expiration time has yet to be reached for the original user and the guest user is authenticating based on that.&nbsp; You can reduce the expiration time and verify if the guest is recogonized.</P></BODY></HTML> Mon, 26 Apr 2010 23:23:49 GMT nrice 2010-04-26T23:23:49Z https://live.paloaltonetworks.com/t5/general-topics/user-information-in-firewall-database-cache/m-p/12838#M9410 <HTML><HEAD></HEAD><BODY><P>1: Captive Portal is set for entire network ( 192.168.1.0) and in Active Directory the group ( IT) is choosen which will be filtered or monitored. There are <BR /><BR />two users ( user1/user2) who are member of this group.<BR /><BR />Firewall Rule :<BR />==============<BR /><BR />1:&nbsp; Trust to Untrust<BR /><BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Action&nbsp; <BR /><BR />1: ( Any known user)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Allow<BR />2: ( Any Unknown user)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Block<BR /><BR /><BR /><BR />Issue:<BR />=====<BR /><BR />When user 1 &amp; user 2 login to shared workstation ( WS1) ( One after other)They both are able to browse internet and no issues. However after sometime the local administrator on that pc( WS1) is logged in, Locally on that machine to work and he is trying to browse internet( Ideally that user is unknown he should be prompted for authentication and he can use any guest based user account from AD ( guest 1) to access internet with limited accessibity of sites.This is not happening, the moment the local adminstration is login into that machine ( WS1) and trying to browse internet, that user is getting internet access.Seems like there is some sort of Cached information which shows that ( WS1) is still being used by known users and its not able to refresh it.<BR /><BR />I tried to reset the user captive portal session using this command:-<BR /><BR /># debug device-server reset captive-portal ip-address 192.168.1.104<BR /><BR />It was of no help, <BR /><BR />Resolution:<BR />=============<BR /><BR />When i restarted the PAN agent, it started to work and that agent was showing 192.168.1.104 Ip as unknown and when tried to open the IE and browse on that <BR /><BR />pc. it showed the authentication .<BR /><BR />This is a issue with us, and we will not be able to apply the policies on the users.<BR /><BR />Observations:<BR /><BR />==============<BR /><BR />1: When we checked the logs in Firewall Monitor TAB, It was still showing us last logged in username and the logs were showing his name with latest <BR /><BR />timestamp. We even checked by browsing some of the websited and enabled ( Resolve) in the logs to see and synchronize the domain name we were browsing as <BR /><BR />current local administrator. However in the logs it was showing as domain user who is no more logged into that machine.<BR /><BR />Any Suggestion on this ?</P></BODY></HTML> Sat, 24 Apr 2010 19:23:09 GMT https://live.paloaltonetworks.com/t5/general-topics/user-information-in-firewall-database-cache/m-p/12838#M9410 paramount 2010-04-24T19:23:09Z https://live.paloaltonetworks.com/t5/general-topics/user-information-in-firewall-database-cache/m-p/12839#M9411 <HTML><HEAD></HEAD><BODY><P>It sounds like the Captive Portal expiration time has yet to be reached for the original user and the guest user is authenticating based on that.&nbsp; You can reduce the expiration time and verify if the guest is recogonized.</P></BODY></HTML> Mon, 26 Apr 2010 23:23:49 GMT https://live.paloaltonetworks.com/t5/general-topics/user-information-in-firewall-database-cache/m-p/12839#M9411 nrice 2010-04-26T23:23:49Z