We have a few vendors who have AD accounts, but only connect to Global Protect to SSH to specific servers. They don't use any other domain resources. When we look in the domain controllers there is no last login information. So our policy to disable unused accounts after 21 days keeps disabling active accounts.
Anyone know how to get it to pass this information?
I am rephrasing the question, correct me if I am wrong.
Question : How to find out unused GP users for last 21 days?
If that is the question, you can not readily pull out that information from Firewall.
However, system logs have information about GP user login/logout activity. You should forward it to syslog server. And do the analysis from login/logout logs.
Let me know if that helps.
The issue is with AD in the fact the Palo Alto's are only using "simple bind" with the LDAP lookup. From what I found the AD should use lastlogonTimeStamp instead of lastlogon for "simple bind." However it appears it is still not accurate. Showed a user last logged on 7 days ago, but the are currently logged on.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!