IP to user mapping unreliable

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IP to user mapping unreliable

L4 Transporter

Situation: PC connected to our domain. Domain users log on to it. Domain users have internet access.

The same PC is used for assessments. These (external) users log on with a local user account (not known as a domain user). These users are not allowed to have internet access.

If a domain user has logged on to the PC, the IP is mapped to the user. If the domain user logs off, the IP mapping remains (until timeout). If in the meantime a local user logs on, he/she has full internet access.

This posed two severe problems:

1. Traffic coming from that PC is mistakenly logged as coming from that user.

2. Policies for denying applications based on user don't work.

How can I make the device reliably identify users and allow/deny applications ?

32 REPLIES 32

Not applicable

Hi Dieter,

Just suggest some settings:

1. Disable local users for your end user access

2. Change the default time of Age-out timeout in UIA as small as possible

3. If using NetBIOS Probing, you may consider to shorten that but it will affect your network performance

Hope it help.

J

1. What exactly do you mean with disabling local users ?

2. Lowering the timeout only has effect on the PAN agent. Users are cached on the device with a fixed timeout of 3600 s. That's just too long.

3. no NetBIOS

Instead of using an agent, is there any way I can do realtime LDAP checking ? Instead of having policies look at IP addresses (even if you specify users, it comes down to IP's only), have the policies look at the user who's requesting access ? Similar to proxy authentication...

Well, then Captive Portal might do the trick. In captive portal you can set idle timeout and maximum session length. On the other hand there is no "logoff" or client probing. Using Captive Portal with NTLM-auth is "fairly" transparent to the user.

Can I have a first CP policy do NTLM auth and if it fails use a second CP policy asking the user for credentials ?

Are CP policies evaluated in a specific order (like security rules) ?

When you define your Captive Portal you specify both an agent for NTLM authentication and an authentication profile for form-based authentication.

This means (and might not be well documented by Palo) that if you choose method NTLM in the CP-policy it will first try NTLM-authentication and then use form-based authentication as a fall back mechanism. You don't need a second policy with method captive-portal.

Rules are read from the top to bottom. This in turn means you can make exceptions above a general policy with method NTLM or captive-portal if you want.

Thank you, I will try that.

L4 Transporter

Update on the original situation:

There's a serious flaw in using the PAN agent:

- domain user logs on, ip is mapped to user

- domain user logs off

- local user logs on before the domain user-to-ip mapping times out on the device (3600s)

- as long as no other domain user logs on to the same pc, the PAN agent sees the ip active, but doesn't even check if it's still the same user

Proof of this is in the PAN agent log, fragment of the log at the time a local user was logged on (local username is completely different from domain username):

2011 02 15 13:14:04, PAN_AGENT_GET_NEW_IP: Number of IPs received from device (127.0.0.1): 1
2011 02 15 13:14:04,     QueryIP 10.39.1.98 (mengrp\dieter) done
2011 02 15 13:14:04, Sending 1 IP(s) to device (127.0.0.1)
2011 02 15 13:14:04,     [1] 10.39.1.98 : mengrp\dieter to device (127.0.0.1)

This gets logged every other minute or so. Doesn't even matter if the local user logs of or not.

The mapping never times out. You'd expect it to time out, what else is the age-out timeout setting in the PAN agent for ?

How can I ever be 100% certain that logged traffic is from a specific user ?

@dietr:

the QueryIP looks like a Netbios/WMI probe. Is Netbios/WMI probing enabled? If so what is the timer setting for the probe interval?

You are correct. I was testing to see if it made any difference. It doesn't.

Log fragment with NetBIOS disabled:

2011 02 15 14:33:55, Sending 5 IP(s) to device (127.0.0.1)
2011 02 15 14:33:55,     [1] 10.39.1.62 : mengrp\geoffrey.beulque to device (127.0.0.1)
2011 02 15 14:33:55,     [2] 10.39.1.98 : mengrp\dieter to device (127.0.0.1)
2011 02 15 14:33:55,     [3] 10.39.0.106 : mengrp\geoffrey.beulque to device (127.0.0.1)
2011 02 15 14:33:55,     [4] 10.39.0.199 : mengrp\dieter.bulcke to device (127.0.0.1)
2011 02 15 14:33:55,     [5] 10.39.0.17 : mengrp\paul.gijswijt to device (127.0.0.1)

Note that the pc has been physically disconnected from the network over half an hour ago. But the PAN agent still thinks it is mapped to the domain user. Age-out timeout is set to 5 min.

@dieter:

in your pan agent config file what is the setting for <enable_full_expire>? if it is 0 change it to 1

is there a user_ip_map.txt file in the Pan Agent folder? If so delete it.

restart the PanAgent service.

do you still see the problem?

enable_full_expire was indeed set to 0 (why is that option not on the configure dialog ?!)

The file user_ip_map.txt gets recreated shortly after restarting the panagentservice.

I will test timeout expiration now...

Ok, the user now times out on the PAN agent.

But on the device the timeout is fixed at 3600 seconds. This means the local user who has logged on shortly after the domain user can still access the internet. And that traffic is mistakenly logged as coming from the domain user.

See you got some help regarding your idle/expire timers.

I agree that monitoring security logs solely never will identify users 100% correctly. You might get close to 100% depending on your network and you configuration. The main reasons for this being:


A)    PAN-agent does not monitor logoff events. I’m not even sure DC’s default log those types of events.


B)    PAN-devices rely on timers and/or wmi/nebios probing to speed up expiration of old ip-user mappings.


C)    Palo doesn’t have an agent solution that can be installed on the client to pickup logon/logoff events and report these events on the fly to a “PAN-client-service” or whatever you want to call it.

Picking up client local logon events on the other hand would only be interesting if those types of logons resulted in the user was re-labeled as “unknown”. That way we can choose to deal with them as unknown users, have them logon in the domain again or use captive portal. Then again, this would require some sort of agent on the client.

This undermines one of the most important features PaloAlto advertises: http://www.paloaltonetworks.com/technology/user-id.html

  • 12521 Views
  • 32 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!