How the PAN build the TTL and the Max TTL values of the ip-user-id mappings ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How the PAN build the TTL and the Max TTL values of the ip-user-id mappings ?

L3 Networker

Hi,

I noticed a difference between the ip-user-id mappings inside the PAN-agent (45 mn by default) and those inside the firewall ( TTL and max TTL). I want to no how this values is built, is there any relationship between them and the ageout configured on the agent. If yes, how this values are derived?

Thank you in advance.

Asia.

1 accepted solution

Accepted Solutions

L4 Transporter

hello Asia,

the ttl on the Paloalto device is 1hour (3600 seconds) by default. By the way, this setting is not configurable on the Paloalto device.

So, the Paloalto device will ask the pan agent for the user ip mapping and once it gets it, it will give a ttl (time to live) of 3600 seconds.

Now the Paloalto device will continue to ask the User identification agent every few seconds (like 5-10 seconds) for any changes in the user to ip mapping. IF there is no change in the user information, then the count down will continue. If there is a new user for that ip, then the Paloalto device will assign that new user and new ttl. If that ttl expires then the user will go to "unknown".

The Paloalto device will also ask the user identification agent for a fresh new user to ip mapping list every hour.

One more detail is that if the user's ttl has expired and the user is now unknown, he will remain unknown until one of three things happen:

1. the Paloalto device sees traffic for that ip...at that time the paloalto device will ask the user identification agent for mappping information for that IP

2. One hour has gone by and the Paloalto device asks for a fresh new user list and that ip now has a user

3. A user is provided for that ip by the user identification agent during one of those 5-10 second queries from the paloalto device to the user identification agent

So, as you can see all of the above scenarios can affect the ttl and cause it to start again.

Also the Age-out timeout on the user identificatioin agent has nothing to do with the ttl on the Paloalto device. Here is a definition of the age-out timeout:

Age-out Timeout (min.): how long entries in the IP to username cache kept by the agent

are valid. Current entries can be viewed from the main User Identification Agent Screen

under IP to Username Information, as in the graphic below, 45 minute default.

Hope this helps Smiley Happy

View solution in original post

2 REPLIES 2

L4 Transporter

hello Asia,

the ttl on the Paloalto device is 1hour (3600 seconds) by default. By the way, this setting is not configurable on the Paloalto device.

So, the Paloalto device will ask the pan agent for the user ip mapping and once it gets it, it will give a ttl (time to live) of 3600 seconds.

Now the Paloalto device will continue to ask the User identification agent every few seconds (like 5-10 seconds) for any changes in the user to ip mapping. IF there is no change in the user information, then the count down will continue. If there is a new user for that ip, then the Paloalto device will assign that new user and new ttl. If that ttl expires then the user will go to "unknown".

The Paloalto device will also ask the user identification agent for a fresh new user to ip mapping list every hour.

One more detail is that if the user's ttl has expired and the user is now unknown, he will remain unknown until one of three things happen:

1. the Paloalto device sees traffic for that ip...at that time the paloalto device will ask the user identification agent for mappping information for that IP

2. One hour has gone by and the Paloalto device asks for a fresh new user list and that ip now has a user

3. A user is provided for that ip by the user identification agent during one of those 5-10 second queries from the paloalto device to the user identification agent

So, as you can see all of the above scenarios can affect the ttl and cause it to start again.

Also the Age-out timeout on the user identificatioin agent has nothing to do with the ttl on the Paloalto device. Here is a definition of the age-out timeout:

Age-out Timeout (min.): how long entries in the IP to username cache kept by the agent

are valid. Current entries can be viewed from the main User Identification Agent Screen

under IP to Username Information, as in the graphic below, 45 minute default.

Hope this helps Smiley Happy

Thank you so much swhyte for this great response, it's so clear for me now. It remain just one question, it's concerning the ageout timeout in the agent. I want to know if it is an inactivity timer or an agressive ageout after wich the entry is supressed even thow there is AD logs/activity seen from the same ip and the same user ?

Thank you for your time.

  • 1 accepted solution
  • 5254 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!