User Agent and Active Directory 2008

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User Agent and Active Directory 2008

L0 Member

I would like to know if there are some known issues about communications between useragent and AD2008 ?

We are migrating from AD2003 to AD2008 and some User-ID associations are missed :smileyangry:

We are not using security logs at the moment but only the session table monitoring.

We already have opened  a case but I would like to share this experience.

We also encountered some issues with Juniper Firewall and AD2008. The ALG MS-RPC features based on UUID matching no longer works.

Is the UUID used by Palo Alto agents when communicating with the AD ?

Thanks for your help.

5 REPLIES 5

L4 Transporter

Are you logging succes and failures for the "audit account logon events" and "audit logon events' on the domain controllers?

No, not yet. We plan to do it with AD2008. We do not anderstand why some identification are missed now ( 2008 vs 2003 ).

The root cause of this issue starts becoming more accurate :

When an anonymous event comes from a user PC to the DC ( which has already been recognized by the AD agent ), here is the behaviour :

With DC2003, the AD agent get the field "sesi10_username" with an empty value, which has no effect on the Pan Agent.

With DC2008R2, the AD agent get the field "sesi10_username" with the value ANONYMOUS LOGON, which cause the PAN agent to overwrite the previous UserID-IP identification.

So, how to turn around this issue ? Is there a way on the agent to ignore ANONYMOUS LOGON ?

Thanks for your help.

bdaussin wrote:

The root cause of this issue starts becoming more accurate :

When an anonymous event comes from a user PC to the DC ( which has already been recognized by the AD agent ), here is the behaviour :

With DC2003, the AD agent get the field "sesi10_username" with an empty value, which has no effect on the Pan Agent.

With DC2008R2, the AD agent get the field "sesi10_username" with the value ANONYMOUS LOGON, which cause the PAN agent to overwrite the previous UserID-IP identification.

So, how to turn around this issue ? Is there a way on the agent to ignore ANONYMOUS LOGON ?

Thanks for your help.

In the Palo Alto agent directory, create a file called "ignore_user_list.txt"

Add your "ANONYMOUS LOGON" to this file - you may need to put it in quotes, like I jsut did, as there is a space in the username.

See if this works.

Cheers!

Thanks for your advice and workaround. We set up this file on the AD agent, but it seems that it filters out all informations coming from the DC session table Smiley Sad

We have opened a case to the support but it's quite long to get a usefull answer :smileyangry:

Thanks,

  • 3445 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!