RDP and the PAN-Agent

Reply
Highlighted
L4 Transporter

RDP and the PAN-Agent

I'm noticing that when a user connects to a server using RDP with a different username, the PAN-Agent is reading that username and associating it the user's computer.

For instance, a programmer named 'jdoe' connects to a web server from his PC using IP address 172.16.3.3 using the username 'webadmin'. The traffic logs now read that 'webadmin' is logged on to 172.16.3.3.

Is anyone else having this problem?

Tags (2)
L6 Presenter

Re: RDP and the PAN-Agent

Pan Agent picks up logon events from the domain controller security event log. So if your Windows environment is somehow showing user "webadmin" instead of "jdoe" then you should first investigate the DC security event logs to verify that this is occurring and then investigate the root cause of that.

If this isn't the case then you have a mystery that should probably be resolved with a support case.

-Benjamin

L2 Linker

Re: RDP and the PAN-Agent

We noticed exact the same issue some days ago.. Very annoying and i'm afraid it can this issue will not be solved quickly since the Pan-agent is reading some log types of the dc security logs , i guess.

Anyone who can confirm this ? Is PA working on this ?

L4 Transporter

Re: RDP and the PAN-Agent

Well, it is valid in the event log. I noticed it on my Mac using RDP also.

I thought the NetBios probes would re-query the workstation, but this is not the case.

L6 Presenter

Re: RDP and the PAN-Agent

The NetBios probe should query the workstation every 20 minutes (default) and re-map the user-to-ip-mapping if warranted.

The real question here is why is your Windows environment showing a logon to your user's PC from the webadmin user?

L4 Transporter

Re: RDP and the PAN-Agent

Here's an example from one of our Server 2008 R2 DCs when using MS-RDP.

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          2/1/2011 3:59:30 PM

Event ID:      4624

Task Category: Logon

Level:         Information

Keywords:      Audit Success

User:          N/AComputer:      ITDNS2.lab.org

Description:An account was successfully logged on.
Subject:     Security ID:          SYSTEM

Account Name:          ITDNS2$

Account Domain: LAB

Logon ID:          0x3e7
Logon Type:               10
New Logon:     Security ID: LAB\administrator

Account Name:          administrator

Account Domain:          LAB

Logon ID:          0x2a9158bb

Logon GUID:          {00000000-0000-0000-0000-000000000000}


Process Information:

Process ID:          0x584

Process Name:          C:\Windows\System32\winlogon.exe
Network Information:

Workstation Name:     ITDNS2

Source Network Address:     172.16.16.200

Source Port:          60635


Detailed Authentication Information:

Logon Process:          User32

Authentication Package:     Negotiate     Transited

Services:     -     Package Name (NTLM only):     -     Key Length:          0


This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.     - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.     - Transited services indicate which intermediate services have participated in this logon request.     - Package name indicates which sub-protocol was used among the NTLM protocols.     - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

L7 Applicator

Re: RDP and the PAN-Agent

adding your RDP servers to the panagent ignore list may help eleviate this issue since it should then stop collecting logon info from your server and only check your user pc's

L4 Transporter

Re: RDP and the PAN-Agent

Well, it's collecting the logon information from the client side, not the server side, in AD.

I imagine that it’s coming from the way Terminal Services Client 6.0 send the credentials first before letting you log into the server. I think 5 would bring up the console, and then allow you to login.

Not applicable

Re: RDP and the PAN-Agent

Hi, I would like to elaborate on a similar issue that i am having.

i have 2 usernames, a local one say abc and another one with more privileges, say xyz.

i use xyz to rdp to servers etc. and am usually logged into my pc with abc. my problem is that i am using usernames in the palo alto firewall for creating policies, and both of these user-ids have specific groups that they are part of being allowed through the firewall for different reasons.

Hence adding a particular user to the ignore list on the pan-agent isnt a solution, and the fact that the palo alto firewall maps users to an ip address, and the otherway round could be a bad news for a company that my use kiosks or hotdesking ...

Please advice if there is a solution for such issues.

cheers

Bhav

L4 Transporter

Re: RDP and the PAN-Agent

Clarification question:

Which system is being marked with the rdp user login? Server or workstation?

Thanks

James

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!