- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-11-2014 06:34 AM
We have a few vendors who have AD accounts, but only connect to Global Protect to SSH to specific servers. They don't use any other domain resources. When we look in the domain controllers there is no last login information. So our policy to disable unused accounts after 21 days keeps disabling active accounts.
Anyone know how to get it to pass this information?
Thank you,
Randy
09-11-2014 06:46 AM
Hello Rgreens,
This appears to be AD log issue, try to deep dive into security logs of AD.
I dont think there is any issue with firewall, if user is authenticated than firewall must have forwarded request to AD.
Regards,
Hardik Shah
09-11-2014 06:38 AM
Hi Randy,
I am rephrasing the question, correct me if I am wrong.
Question : How to find out unused GP users for last 21 days?
If that is the question, you can not readily pull out that information from Firewall.
However, system logs have information about GP user login/logout activity. You should forward it to syslog server. And do the analysis from login/logout logs.
Let me know if that helps.
Regards,
Hardik Shah
09-11-2014 06:43 AM
I think he means; how can a user logging into Global Protect cause the last-logged-in timestamp held in Active Directory to be updated.
09-11-2014 06:45 AM
ajbool, correct. I can see in the Palo Alto the last login for Global Protect, but in the Domain Controllers in doesn't update the last login information.
09-11-2014 06:45 AM
Hi Ajbool,
When user tries to login, firewall sends credentials to AD for verification. So, AD should have that log in security logs.
Regards,
Hardik Shah
09-11-2014 06:46 AM
Hello Rgreens,
This appears to be AD log issue, try to deep dive into security logs of AD.
I dont think there is any issue with firewall, if user is authenticated than firewall must have forwarded request to AD.
Regards,
Hardik Shah
09-11-2014 11:20 PM
just check AD settings for logging that.
Not a firewall issue.
09-18-2014 06:51 AM
The issue is with AD in the fact the Palo Alto's are only using "simple bind" with the LDAP lookup. From what I found the AD should use lastlogonTimeStamp instead of lastlogon for "simple bind." However it appears it is still not accurate. Showed a user last logged on 7 days ago, but the are currently logged on.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!