You are correct. That is why I would use the User ID API with a Log Out script to force the removal of the IP mapping. (https://live.paloaltonetworks.com/docs/DOC-1348). In this way we can create our own log out event....
A nice thought James, but when using 802.1x you don't even have an IP-address when you authenticate. In most 802.1x implementations I have seen or been involved in "x" is used to place authed users on a specific VLANs for that user/group. Admittance based on client security posture is another reason for using it.
You are correct, but an IP Address is requested and given - depending on your implementation (granted) all this information will be in the RADIUS server. Otherwise, you may have some correlation work to do with a DHCP server.
We had a similar issue and the below fixed this for us.
Have you tried disabling the cache on the Palo Agent? it is in the configure part of the agent and it is called "Enable Group Cache" untick that and delete the user_ip_map.txt file in the Pan Agent folder, then restart the service. I have attached a screen shot of the setting also.
Just to share our feedback about user-id feature, there are mainly two items to deal with :
- When you are using fixed PCs using your AD domain : it's quite simple, because IPs won't often change, but you have to deal with multi-users computers.
- When you are using laptop, even if AD agent is efficient, you won't be able to have a real time userID-IP association ( when IP have changed ).
Within my company, we deal with these two issues by using the XML/API agent. We deploy a piece of code which communicates with the API agent. Now life is great . We have 80 000 PCs in which 45000 are laptop, we are able to recognize who is behind each IP within 10 to 15s.:smileycool:
The Palo Alto UserID feature is really great, but you have some work to do to take full advantage of it. I think release 4 will bring some more integrated features, but at the moment the system is quite open.
It has changed the way we provide security.
PS : this information is intended to stay in this private forum within Palo Alto, no public communication, thanks.
Having exactly the same issues. In this case it is a single AD box with multiple AD users. Cannot disable the user ID cache since they have multiple remote sites – the probing etc will overwhelm the WAN links.
The API/XML script seems like a great solution but not a commercially and economically feasible solution. Pushes up costs of deploying Palo since custom dev work must be done to get it going…
Would anybody mind sharing their API/XML solution to fix this issue in the meanwhile? Hopefully Palo will implement a function whereby the PAN agent can read the security logs for logoff events directly. (not too sure why it does not in the first place?)
Windows logoff events are less common then you may think. Most laptop users will just sleep or hibernate when they are leaving, neither of which creates the desired event.
With the current version of the user agent the only areas we still have some issues are in high turn over wireless networks where IP's are quickly recycled and reassigned. This is where the API comes in handy. Take a look at for an example of how to set it up. Modification of the scripts are not terribly complex and we are happy to help you out with it on the .
I am happy to get into more details on any of your concerns here, just let me know what they are.
Thanks for the offer. Just an update, the issue is resolved. Turns out that WMI/NetBIOS probing is potent enough to build a more or less complete IP to user mapping table. So my initial thoughts were that all is working as expected and the issue must be something else. The problem was that the customer did not add any "include" networks in the PAN agent, only exclude networks. Upon closer inspection in the PAN agent logs I found the agent logging that IP x is not in the include list. Adding all the subnets to the PAN agent fixed all the issues experienced at this site with PAN agent – even the issue with multiple users logging onto a single PC was fixed. The IP to user mapping on the PAN firewall is updated almost instantaneously.
Thanks for the help
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!