I was reading in some of the documentation for User-ID to see if we can improve our security a bit. Basically, I'm currently setting User-ID logs to no timeout with the assumption that a new user login will generate a new one and override the old one. We've been doing this because a number of users leave their computers locked instead of logging off every day so relying on a timeout period means eventually losing access to things that are utilizing the user-based policies.
The WinRM documentation from 9.0 appears to say it can be used to "map usernames from login and logout events to IP addresses" (https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/user-id-features/winrm-support-for-...) but everything I've found seems to indicate AD doesn't receive logoff events from the domain-joined PCs. Is this something that works on newer AD servers or is the documentation incorrect?
If it is incorrect, I'm curious what others are doing to get logoff events? I could probably get the PCs to send something to a syslog server on a logoff event but I don't see any way in the syslog filter on the firewall to specific something as a logoff event vs a logon event unless the solution would just be to match the event, retrieve the IP, but put a regex for the user ID that would never match anything?
To the best of my knowledge you can't have logoff events clear user-id information automatically. When clients have needed this in the past I've scripted it so that a logoff triggers a script that simply uses the API to clear the user-id information for the IP address on clients.
I've not tried WinRM, but logoff events are higghly unreliable (closing your laptop lid is not a logoff, unplugging from the network isn't either. So I wouldn't rely on this mechanism at all
In your first paragraph you mention you hav the timeout set to 'off' because you want the new user to overwrite the old user
these are two different mechanisms that are no mutually exclusive: you can timeout inactive users and new users will still overwite old accounts that have not timed out yet. I'd recommend always using the timeout (what if a new user 'roams' onto an abandoned IP with a user still logged on, the roaming user will not necessarily generate a logon even so will seamlessly take over the previous user's credentials)
timeout is one of the most reliable logoff events 🙂 you could consider WMI probing , or internal GlobalPortect agents for more control over user's IP mapping
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!