User Agent and Active Directory 2008

Reply
Not applicable

User Agent and Active Directory 2008

I would like to know if there are some known issues about communications between useragent and AD2008 ?

We are migrating from AD2003 to AD2008 and some User-ID associations are missed :smileyangry:

We are not using security logs at the moment but only the session table monitoring.

We already have opened  a case but I would like to share this experience.

We also encountered some issues with Juniper Firewall and AD2008. The ALG MS-RPC features based on UUID matching no longer works.

Is the UUID used by Palo Alto agents when communicating with the AD ?

Thanks for your help.

L4 Transporter

Re: User Agent and Active Directory 2008

Are you logging succes and failures for the "audit account logon events" and "audit logon events' on the domain controllers?

Not applicable

Re: User Agent and Active Directory 2008

No, not yet. We plan to do it with AD2008. We do not anderstand why some identification are missed now ( 2008 vs 2003 ).

Not applicable

Re: User Agent and Active Directory 2008

The root cause of this issue starts becoming more accurate :

When an anonymous event comes from a user PC to the DC ( which has already been recognized by the AD agent ), here is the behaviour :

With DC2003, the AD agent get the field "sesi10_username" with an empty value, which has no effect on the Pan Agent.

With DC2008R2, the AD agent get the field "sesi10_username" with the value ANONYMOUS LOGON, which cause the PAN agent to overwrite the previous UserID-IP identification.

So, how to turn around this issue ? Is there a way on the agent to ignore ANONYMOUS LOGON ?

Thanks for your help.

Highlighted
L4 Transporter

Re: User Agent and Active Directory 2008

bdaussin wrote:

The root cause of this issue starts becoming more accurate :

When an anonymous event comes from a user PC to the DC ( which has already been recognized by the AD agent ), here is the behaviour :

With DC2003, the AD agent get the field "sesi10_username" with an empty value, which has no effect on the Pan Agent.

With DC2008R2, the AD agent get the field "sesi10_username" with the value ANONYMOUS LOGON, which cause the PAN agent to overwrite the previous UserID-IP identification.

So, how to turn around this issue ? Is there a way on the agent to ignore ANONYMOUS LOGON ?

Thanks for your help.

In the Palo Alto agent directory, create a file called "ignore_user_list.txt"

Add your "ANONYMOUS LOGON" to this file - you may need to put it in quotes, like I jsut did, as there is a space in the username.

See if this works.

Cheers!

Not applicable

Re: User Agent and Active Directory 2008

Thanks for your advice and workaround. We set up this file on the AD agent, but it seems that it filters out all informations coming from the DC session table :smileysad:

We have opened a case to the support but it's quite long to get a usefull answer :smileyangry:

Thanks,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!