03-29-2011 05:39 AM
I have recently deployed PAN in my organisation which has 2 domains.
I have installed 2 PAN agents -- 1 for each domain and added respective DC's to their respective PAN Agent.
URL filtering is done on the basis of User ID from AD. So when a user logs in with his User ID, policy assigned to his User ID gets implemented.
Everything is working fine EXCEPT for 1 thing.
- When I map a drive or use an application with a different user ID, that user ID is used by PAN for URL filtering and not the user ID thru which i have logged on the PC with. As such policy for User ID that is used to map the drive gets implemented and policy for the the User ID thru which the PC is logged in gets overridden.
Is there any solution to this or any particular setting that i have missed that is causing this issue.
03-29-2011 06:03 AM
I have the same 2 domain setup and use logon scripts that run as DOMAIN\Administrator to map drives and such, but doesn't affect USER-IDs. How did you come to the conclusion that its based on your mapped drives? Can you isolate the user with its own rules and then re-map a drive and have the same outcome?
A lot of times with our USER-ID agents the agents time-out and all users get tossed into my "ALL OTHERS" rule, which causes some conflict. Changing the time-out time on the agent and a simple reboot can fix this.
Are you using 4.0.1? Seems this problem has occurred more often in 4.0.1 for our organization.
03-30-2011 01:06 AM
Besides the obvious contention of whether its good to use different domain credentials to map drive letters, the PAN is doing exactly what its supposed to.
The PAN Agent scrapes the security logs of domain controllers, of the userid and machine that successfully logon to the domain.
If a user logs on a PC with domain\userid and then has runs a script using domain\otheruserid, then there would be two entries in the security logs and the latest one would be the one that is valid.
I can think of a few ways to get around this, but it would be a pain and overall not a good option.
One would be to use local machine credentials when mapping drive letters (which would not create logs on the DC)
Another would be to extend the timeout to a length just enough so that once it determines credentials for a host, it won't check again for 8 hours.
03-30-2011 05:50 AM
Also you could try disabling NetBIOS lookups on the Agent. Check the box to disable Netbios, save, OK and then restart the PanAgent service.
03-30-2011 07:35 AM
if your script is using a userid that you can safely ignore then you could use the ignore_user_list.txt so that the Pan Agent ignores all logon events from that user.
see this posting for more info on the ignore_user_list feature.
https://live.paloaltonetworks.com/message/2241#2241
-Benjamin
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
