i see a user name on the blocked pages which is different from the user i loged in AciveDirectory.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

i see a user name on the blocked pages which is different from the user i loged in AciveDirectory.

Not applicable

Hi i have a problem,i logged in with mydomain\jame to my computer,and i tried to access filtered url and see different user name on the warning page to that category.why is this happening,is there any idea?

14 REPLIES 14

L4 Transporter

Hi,

Please could you provide a bit more info?

Are you on a computer that only you use?

Could another user have been logged into that computer recently?  IP to username mapping only occurs periodically.

Are you logging in to a server using remote desktop or similar?

Regards,

Dave

i access the system on an rdp session and i am using a user which has domain administrator priviliges,when i first loged in the server i tried to access the web and blocked,on the browser i see my logon user name,after 5 minutes i tried this agein clearing the browser cache,i saw the user mydomain\administrator user on the blocked page.

another system,this is just mentioned me today from oen of my clients,he says, the same error but this time he is accesing the user

hisdomain\james to the computer and again see the right user name for 5 minutes nearly,after than he sees hisdomain\jonny on the blocked page error.

Does your RDP server have the Terminal Services agent running on it?

If you are using a shared system with just the user agent running against AD then this sort of thing can happen.  If multiple users are logging in from the same IP the Palo will just use the latest IP to username mapping it has.

The Terminal Services agent addresses this I believe.  I have not used it myself yet though.

Regards,

Dave

no,terminal server agent is not running.and i want to point out that  the second system is more important becouse the local user troubles with this problem on the local site not an rdp session occurs during this situtation.

So the user is logging into his own PC and there is nobody else logged into the same computer? 

Is the user authenticating as another user for anything on the PC (perhaps a service)?

Is the user on the same network as the AD used for IP to username mapping?  If multiple users are on a different network from AD and NAT is occuring in between, multiple users may again get mapped to the same IP.

Regards,

Dave

i will search these,but assume that your assumptions are not true,what another cases causes a situation like this,i am asking this becouse the time period Smiley Happythanks fpr your answer.

Please can you check

1) If the IP address in the Palo log matches the IP address assigned to the client (ipconfig /all) or is a different one

2) How many other users have recent entries in the log appearing to come from the same IP

3) OS of client machine

Thanks

hi i recognized a situation while i am analyzing the logs;

here it is comming,10.10.10.15 ip address is mapping with different users,when i checked from dns 10.10.10.15 is a terminal server,so we can continue from here,i understood that when a user logins this terminal server another one is discnnecting and newly connected user accesing the internet,am i right ?and is so what can i do to stop this situtation?

Yes that would explain it then.  I believe that the terminal services agent is for just this situation.  As I mentioned earlier I have not used this myself though.

Regards,

Dave

thanks,i will search about terminal server agent then.

You can download it from Palo Alto support.  I'm sure there is an install guide somewhere.

I know it needs to be installed each Terminal Server.

Good luck

Regards,
Dave

hi there is another problem i want to talk about,i am describing a rule without no restricton to my user name,and moving the rule top of the liist,than i try to access the internet at first it is cool i cn access everywhere but in a short time,i am blocked with a different user name,when i check the palo alto monitor,i see that i am using my full_access rule for a short time but than i am matching with restricted rule with the user name seen on the blocked page.

so i understood that this is a complication of terminal server usage,but is this normal to match with a restricted rule when i create a rule without no restriction to my username?

Hi,

I think this is all the same problem.

That rule will only be used during the period that the Palo has your IP address mapped to your username.

If you have multiple users on your terminal server then the terminal server agent should be installed.

Regards,

Dave

Hi dyoung thanks for your advices,i will try it and share the result for  assistant of other palo alto users.

  • 5518 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!