What Login Credentials Does Palo Alto Networks User-ID Agent See when Using RDP?

Printer Friendly Page

Issue

The user wants to perform a RDP session from the device they are logged onto, to a device that needs to be remotely accessed.

 

Details

The User-ID Agent (software or hardware) captures the logon user that is used to authenticate to the remote desktop window.

Shown below is an explanation of the process in an example scenario:

  • User1 is logged onto the 10.10.10.10.
  • During authentication, a security log is generated on the Domain Controller.
  • The UI agent picks up the logs and the firewall creates the mapping of user1 ---> 10.10.10.10
  • User user1 creates an RDP session to the 10.10.20.20
  • The user authenticates with the user user_admin
  • During authentication, a logon event is created for the user user_admin coming from the 10.10.10.10 IP address,
  • This event creates the mapping of user_admin ----> 10.10.10.10,
  • Since the firewall can hold only one mapping for one IP address, the user changes the mapping for the 10.10.10.10.
  • When the user disconnects from the remote session of 10.10.20.20, since the log-off events are not relayed to the User-ID process, the mapping user_admin ----> 10.10.10.10 stays valid on the firewall so if there is a policy that is using the user1 as a reference, that policy will be missed.

 

This behavior is by design, and since it is relaying on the logon logs only from the windows domain controller, the last logon event stays in the IP-User mapping table.

 

Workaround

To work around this behavior, users have two options:

  1. Use the same account to create the RDP session (user1).
  2. If an administrative account is needed to escalate privileges (user_admin), then add that user to an exclusion list.

 

owner: ialeksov

Comments

Hi,

This is a bug that needs fixing by PA imo. Please look at the following sequence.

I log in to my PC using my credentials. After that I RDP to another machine using a scond set of credentials.

What should happen is that my logon credentials should be associated with ip address of my PC. The logon credentials I used for the RDP session should be associated with ip address of the machine I RDPd to.

If I browse the web on the second machine then any activity on that machine ( ip address) should rightfully be associated with the specific logon credentials. Similarly if I browse the web on my machine then those sessions should have the ip address of my machine and my logon credentials. 

Is this a problem with Windows security logging or PA user agent ?

Thanks in advance for quick reply.

Is there a workaround for this behavior? I'm currently having this problem in a customer's network.

Hmmm, I guess I respectfully disagree that this is a bug/anomaly.

I think that is working exactly as designed.  If you RDP to another computer with generic credentials, you sort of lose the capability to having UserID determine what YOU are doing.  YOU are RDPing to another computer. 

I think (because I am not PA) that if this was allowed, then everyone created virtual computers, with generic usernames and hide what they are doing because it just became harder to determine who this generic user is.

Just my 2cents.   

FYI this very scenario (as described above in the first comment) caused us to completely recoil in horror and undo user-ID based firewall rules almost as soon as we enabled them. PA's User-ID system needs a way to have more than one username associated to a particular IP address.

Make no mistake, this is a bug or at the very least a design flaw in User-ID.

And no I haven't opened a ticket on it yet, as I honestly don't feel like fighting that battle with support. It's easier to just not open tickets for stuff like this, and avoid the pissing match with support.

The workaround support has advised is to ignore certain service accounts from UserID (either agent or agentless).

Agentless: https://live.paloaltonetworks.com/docs/DOC-4278

UserID Agent: https://live.paloaltonetworks.com/docs/DOC-2893

Works really well, but keep in mind that once ignored, those user accounts won't be mapped to any IP address.

I agree that this is a bug.  Right now when I RDP to another computer and sign on with the same account that I used to log on to my desktop the RDP IP address is not mapped to any username for no apparent reason.  Also we have second accounts assigned to users that may need to do a webex type session with an vendor.  The second account normally only has access to the software and the computer that we are RDP'ing to, so that way the vendor can't access other resouces that the user may have access to.  This is a valid reason to have the IP to user mapping work based on what account signed on to that IP address.

I think you have the problem backwards.  Right now, following your scenario, if I use a set of generic credentials to RDP into another computer, then the system I am RDPing FROM now shows the generic credentials as the logged in user. And while, yes "YOU" are RDPing to another computer, "YOU" are also now accessing the internet, from the original computer (not the one "YOU" RDPed into) as a different user (the generic user).

If I am logged into a system, then all my activities on THAT system should be reflected of the username I logged in with and not reflective of other credentials that I used on different systems. It certain configurations it would have the unintended consequence of allowing activities that shouldn't be allowed.

In most environments it is simply a pain.  We have to teach all our admins, who use a prived account in many RDP sessions, that when they get blocked at the firewall (from their PC), look to see the user, if it isn't the one they are logged into their PC with, then lock and unlock their PC to clear it. 

I am not sure how this could be considered desired and expected behavior!

Ah yes... I needed to re-read it a few times, and yes... everyone is correct.  What an annoyance this will be for people.  I do hope that PA resolves this.

You could potencially use Global Protect with internal host detection to get this around this issue. So on the computer that you are using to RDP with, install Global Protect with "Internal host detection" enabled. This will prevent your username from being mapped to the RDP'ed computer's IP. For example:

Computer IP: 10.100.0.100

RDP host IP: 172.16.1.1

The computer is running the GP client, the RDP host not. So after RDP'ing the user mappings will look as follows:

admin@Lab-HA1> show user ip-user-mapping-mp all

IP              Vsys   From    User                             Timeout (sec)

--------------- ------ ------- -------------------------------- ----------------

10.100.0.100    vsys1  GP      lab\test                         1370

172.16.1.1      vsys1  AD      lab\test                         1331

Used the same AD credentials as the computer on the RDP host.

I'm running into this very issue. If I RDP to a machine, and surf the web from the target machine, it should reflect the IP mapping of the target machine, and the ID that I authenticated via RDP with.

This SHOULD NOT change the USER-IP mapping on the machine that sources the RDP to the ID used to RDP to the target machine. It should stay mapped to the ID that the actual user is logged into the source machine with.

The current behavior makes no sense at all. Has anyone else overcome this problem?

We are just migrating our users from another system to Palo Alto and are facing exact the same problems. Is there really no workaround or fix for that?

This article really should be expanded and point to some options.

The issue is that you only get ONE ip address to user-id association.  Thus for your network you need to choose which association you want to maintain for each type of situation like this that occurs.

PA has a terminal server agent so if you need the TS address associated with the user-id and multiple user to work you can use that.

For cases where you have jump servers for particular tasks you can use ignore lists.

You have to deal with each situation depending on the result you want.

hey

i had this problem not sure about the GP Agent but when you do he RDP to a remote computer there will be a security log on the DC almost the same one as other logon logs, however there is a slight change in the lgos that PA could have know that this is an RDP and this is generated for the server so "dont change" the source IP UID association but PA does not care about this Flag so this is not a bug this is by design i had a case about it.

how to overcome this:

1) use only one set of credentials

2) RDP with a user that you "exclude" from UID mapping but then UID rules wont apply to those sources when you login

Have your SE or PAN rep vote on feature request FR ID: 1708

This addresses the issue of having the option to have more then one user-id mapped to a single IP

Is there any update about this, We migrated to PA early this year, and We're having same issue with RDP sessions and -a acocunts.

 

The workaround doesn't make any sense, I cannot exclude a "-a" account from the mappings as I use those accounts also for other access, has PaloAlto worked on a real solution yet?