Situation: PC connected to our domain. Domain users log on to it. Domain users have internet access.
The same PC is used for assessments. These (external) users log on with a local user account (not known as a domain user). These users are not allowed to have internet access.
If a domain user has logged on to the PC, the IP is mapped to the user. If the domain user logs off, the IP mapping remains (until timeout). If in the meantime a local user logs on, he/she has full internet access.
This posed two severe problems:
1. Traffic coming from that PC is mistakenly logged as coming from that user.
2. Policies for denying applications based on user don't work.
How can I make the device reliably identify users and allow/deny applications ?
Just suggest some settings:
1. Disable local users for your end user access
2. Change the default time of Age-out timeout in UIA as small as possible
3. If using NetBIOS Probing, you may consider to shorten that but it will affect your network performance
Hope it help.
1. What exactly do you mean with disabling local users ?
2. Lowering the timeout only has effect on the PAN agent. Users are cached on the device with a fixed timeout of 3600 s. That's just too long.
3. no NetBIOS
Instead of using an agent, is there any way I can do realtime LDAP checking ? Instead of having policies look at IP addresses (even if you specify users, it comes down to IP's only), have the policies look at the user who's requesting access ? Similar to proxy authentication...
Well, then Captive Portal might do the trick. In captive portal you can set idle timeout and maximum session length. On the other hand there is no "logoff" or client probing. Using Captive Portal with NTLM-auth is "fairly" transparent to the user.
Can I have a first CP policy do NTLM auth and if it fails use a second CP policy asking the user for credentials ?
Are CP policies evaluated in a specific order (like security rules) ?
When you define your Captive Portal you specify both an agent for NTLM authentication and an authentication profile for form-based authentication.
This means (and might not be well documented by Palo) that if you choose method NTLM in the CP-policy it will first try NTLM-authentication and then use form-based authentication as a fall back mechanism. You don't need a second policy with method captive-portal.
Rules are read from the top to bottom. This in turn means you can make exceptions above a general policy with method NTLM or captive-portal if you want.
Update on the original situation:
There's a serious flaw in using the PAN agent:
- domain user logs on, ip is mapped to user
- domain user logs off
- local user logs on before the domain user-to-ip mapping times out on the device (3600s)
- as long as no other domain user logs on to the same pc, the PAN agent sees the ip active, but doesn't even check if it's still the same user
Proof of this is in the PAN agent log, fragment of the log at the time a local user was logged on (local username is completely different from domain username):
2011 02 15 13:14:04, PAN_AGENT_GET_NEW_IP: Number of IPs received from device (127.0.0.1): 1
2011 02 15 13:14:04, QueryIP 10.39.1.98 (mengrp\dieter) done
2011 02 15 13:14:04, Sending 1 IP(s) to device (127.0.0.1)
2011 02 15 13:14:04,  10.39.1.98 : mengrp\dieter to device (127.0.0.1)
This gets logged every other minute or so. Doesn't even matter if the local user logs of or not.
The mapping never times out. You'd expect it to time out, what else is the age-out timeout setting in the PAN agent for ?
How can I ever be 100% certain that logged traffic is from a specific user ?
You are correct. I was testing to see if it made any difference. It doesn't.
Log fragment with NetBIOS disabled:
2011 02 15 14:33:55, Sending 5 IP(s) to device (127.0.0.1)
2011 02 15 14:33:55,  10.39.1.62 : mengrp\geoffrey.beulque to device (127.0.0.1)
2011 02 15 14:33:55,  10.39.1.98 : mengrp\dieter to device (127.0.0.1)
2011 02 15 14:33:55,  10.39.0.106 : mengrp\geoffrey.beulque to device (127.0.0.1)
2011 02 15 14:33:55,  10.39.0.199 : mengrp\dieter.bulcke to device (127.0.0.1)
2011 02 15 14:33:55,  10.39.0.17 : mengrp\paul.gijswijt to device (127.0.0.1)
Note that the pc has been physically disconnected from the network over half an hour ago. But the PAN agent still thinks it is mapped to the domain user. Age-out timeout is set to 5 min.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!