11-15-2011 04:08 AM
Hi i have a problem,i logged in with mydomain\jame to my computer,and i tried to access filtered url and see different user name on the warning page to that category.why is this happening,is there any idea?
11-15-2011 05:09 AM
Hi,
Please could you provide a bit more info?
Are you on a computer that only you use?
Could another user have been logged into that computer recently? IP to username mapping only occurs periodically.
Are you logging in to a server using remote desktop or similar?
Regards,
Dave
11-15-2011 05:18 AM
i access the system on an rdp session and i am using a user which has domain administrator priviliges,when i first loged in the server i tried to access the web and blocked,on the browser i see my logon user name,after 5 minutes i tried this agein clearing the browser cache,i saw the user mydomain\administrator user on the blocked page.
another system,this is just mentioned me today from oen of my clients,he says, the same error but this time he is accesing the user
hisdomain\james to the computer and again see the right user name for 5 minutes nearly,after than he sees hisdomain\jonny on the blocked page error.
11-15-2011 05:33 AM
Does your RDP server have the Terminal Services agent running on it?
If you are using a shared system with just the user agent running against AD then this sort of thing can happen. If multiple users are logging in from the same IP the Palo will just use the latest IP to username mapping it has.
The Terminal Services agent addresses this I believe. I have not used it myself yet though.
Regards,
Dave
11-15-2011 05:46 AM
no,terminal server agent is not running.and i want to point out that the second system is more important becouse the local user troubles with this problem on the local site not an rdp session occurs during this situtation.
11-15-2011 06:05 AM
So the user is logging into his own PC and there is nobody else logged into the same computer?
Is the user authenticating as another user for anything on the PC (perhaps a service)?
Is the user on the same network as the AD used for IP to username mapping? If multiple users are on a different network from AD and NAT is occuring in between, multiple users may again get mapped to the same IP.
Regards,
Dave
11-15-2011 06:42 AM
i will search these,but assume that your assumptions are not true,what another cases causes a situation like this,i am asking this becouse the time period 
thanks fpr your answer.
11-15-2011 06:52 AM
Please can you check
1) If the IP address in the Palo log matches the IP address assigned to the client (ipconfig /all) or is a different one
2) How many other users have recent entries in the log appearing to come from the same IP
3) OS of client machine
Thanks
11-15-2011 07:15 AM
hi i recognized a situation while i am analyzing the logs;
here it is comming,10.10.10.15 ip address is mapping with different users,when i checked from dns 10.10.10.15 is a terminal server,so we can continue from here,i understood that when a user logins this terminal server another one is discnnecting and newly connected user accesing the internet,am i right ?and is so what can i do to stop this situtation?
11-15-2011 07:20 AM
Yes that would explain it then. I believe that the terminal services agent is for just this situation. As I mentioned earlier I have not used this myself though.
Regards,
Dave
11-15-2011 07:43 AM
thanks,i will search about terminal server agent then.
11-15-2011 07:51 AM
You can download it from Palo Alto support. I'm sure there is an install guide somewhere.
I know it needs to be installed each Terminal Server.
Good luck
Regards,
Dave
11-16-2011 06:55 AM
hi there is another problem i want to talk about,i am describing a rule without no restricton to my user name,and moving the rule top of the liist,than i try to access the internet at first it is cool i cn access everywhere but in a short time,i am blocked with a different user name,when i check the palo alto monitor,i see that i am using my full_access rule for a short time but than i am matching with restricted rule with the user name seen on the blocked page.
so i understood that this is a complication of terminal server usage,but is this normal to match with a restricted rule when i create a rule without no restriction to my username?
11-16-2011 07:08 AM
Hi,
I think this is all the same problem.
That rule will only be used during the period that the Palo has your IP address mapped to your username.
If you have multiple users on your terminal server then the terminal server agent should be installed.
Regards,
Dave
11-16-2011 07:29 AM
Hi dyoung thanks for your advices,i will try it and share the result for assistant of other palo alto users.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
