We have user accessing the globalprotect VPN using their AD account and we have userid enabled, but we do not see any evidence of the users in the AD domain controller, is that because GP is accessing the DC using a service account? Is there anyway to get the AD accounts to bind on the DC? We need these records for other things
Are you looking for like the 'last logon date' getting updated or something like that? That's not really going to work at all. When you auth with GlobalProtect the firewall is uing the ADs LDAP function to verify that the user and the password is correct; if that comes back as True then you are continue the login process.
Technically when you use LDAP you aren't actually 'logged in' as far as AD is concerned, that's just a function of how LDAP functions. The firewall is simply acting as a 'client' and whatever is hosting your LDAP service is acting as the 'Server'. The client connects to the server and basically asks "does user 'bpry' with password 'PaloAltoFakePass'" exist within the database. If the server responds 'Yup' then it'll let you login, if not then the process won't continue.
Correct that is what my colleague is looking to have the last login date updated and there is no other way to do this that would give us that is there.
So LDAP is looking in AD to make sure that the user and password are correct? Is the userid showing up in the traffic logs because userid is enabled or something else?
If you login to GlobalProtect the firewall will by default record the source-user, as it verified the user internally and will automatically include this user in the user-id table.
Ya depending on how you utilize that attribute in AD this can cause some issues going forward; many places will automatically disable accounts that haven't logged-in during a certain timeframe. Your only real option is to simply remind people that they need to login within 'x' days or move away from LDAP as the authentication method for GP.
You could run a post GP logon script, they run auto when connected.
perhaps map the users home drive, this will force domain auth in the background, this will be recorded in the AD security log and PA user id will pick this up....
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!