Global Protect not passing last login information?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect not passing last login information?

L2 Linker

We have a few vendors who have AD accounts, but only connect to Global Protect to SSH to specific servers.  They don't use any other domain resources.  When we look in the domain controllers there is no last login information.  So our policy to disable unused accounts after 21 days keeps disabling active accounts.

Anyone know how to get it to pass this information?

Thank you,


Randy

1 accepted solution

Accepted Solutions

Hello Rgreens,

This appears to be AD log issue, try to deep dive into security logs of AD.

I dont think there is any issue with firewall, if user is authenticated than firewall must have forwarded request to AD.

Regards,

Hardik Shah

View solution in original post

7 REPLIES 7

L6 Presenter

Hi Randy,

I am rephrasing the question, correct me if I am wrong.

Question : How to find out unused GP users for last 21 days?

If that is the question, you can not readily pull out that information from Firewall.

However, system logs have information about GP user login/logout activity. You should forward it to syslog server. And do the analysis from login/logout logs.

Let me know if that helps.

Regards,

Hardik Shah

I think he means; how can a user logging into Global Protect cause the last-logged-in timestamp held in Active Directory to be updated.

ajbool, correct.  I can see in the Palo Alto the last login for Global Protect, but in the Domain Controllers in doesn't update the last login information.

Hi Ajbool,

When user tries to login, firewall sends credentials to AD for verification. So, AD should have that log in security logs.

Regards,

Hardik Shah

Hello Rgreens,

This appears to be AD log issue, try to deep dive into security logs of AD.

I dont think there is any issue with firewall, if user is authenticated than firewall must have forwarded request to AD.

Regards,

Hardik Shah

L6 Presenter

just check AD settings for logging that.

Not a firewall issue.

The issue is with AD in the fact the Palo Alto's are only using "simple bind" with the LDAP lookup.  From what I found the AD should use lastlogonTimeStamp instead of lastlogon for "simple bind."  However it appears it is still not accurate.  Showed a user last logged on 7 days ago, but the are currently logged on.

  • 1 accepted solution
  • 4414 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!