in your pan agent config file what is the setting for <enable_full_expire>? if it is 0 change it to 1
is there a user_ip_map.txt file in the Pan Agent folder? If so delete it.
restart the PanAgent service.
do you still see the problem?
enable_full_expire was indeed set to 0 (why is that option not on the configure dialog ?!)
The file user_ip_map.txt gets recreated shortly after restarting the panagentservice.
I will test timeout expiration now...
Ok, the user now times out on the PAN agent.
But on the device the timeout is fixed at 3600 seconds. This means the local user who has logged on shortly after the domain user can still access the internet. And that traffic is mistakenly logged as coming from the domain user.
See you got some help regarding your idle/expire timers.
I agree that monitoring security logs solely never will identify users 100% correctly. You might get close to 100% depending on your network and you configuration. The main reasons for this being:
A) PAN-agent does not monitor logoff events. I’m not even sure DC’s default log those types of events.
B) PAN-devices rely on timers and/or wmi/nebios probing to speed up expiration of old ip-user mappings.
C) Palo doesn’t have an agent solution that can be installed on the client to pickup logon/logoff events and report these events on the fly to a “PAN-client-service” or whatever you want to call it.
Picking up client local logon events on the other hand would only be interesting if those types of logons resulted in the user was re-labeled as “unknown”. That way we can choose to deal with them as unknown users, have them logon in the domain again or use captive portal. Then again, this would require some sort of agent on the client.
Well, that is one way to look at it. As I mentioned before it is likley we don't know 100% of the users 100% of the time. In a Windows environment local client users are a bit of a hazzle. Then again, how many of us allow "avarage Joe" to logon locally? In most cases nearly all users are in our directory.
I don't know how the LDAP-agent works with e-Directory as Novell saves both logon/logoff events in the directory as well as the client IP. In theory it would be easier to keep track of these users... but.....
...users were born to make our lives a living hell :smileywink: They shut off the PC's without logging off, hibernate the PC, etc.
100% correct 100% of the time is tough, but there is room for improvement no doubt.
If you require absolute to the second 100% information on a user - this will need s/w on the client. For this you have a couple of options:
1. Use a combination of 802.1x supplicants and 802.1x Network. Then use RADIUS messages from 802.1x over EAP, for example, to hook into our User-ID XML-API. You'll get log on and off here.
2. PAN-OS 4.0 will give you client s/w that can be distributed to get to the desired results for User-ID.
Like you said: most users are in our active directory. That's because we want to make sure the user is allowed/forbidden access to certain resources. I consider AD authentication very reliable. The only time it fails is when users give their passwords to others, but that is not my responsability anymore.
Until further notice I consider User ID not reliable, but it is my responsability to make sure unauthenticated user can't browse the internet.
I'm having my reseller escalate the issue to the local PA office.
The real problem we are hitting here is that you have non domain users as well as domain users and our current design has no real support for local users. If you were having multiple domain users use the sytem, the new log in events would update and all would be well. Instead what happens is there is no event that we track occuring when the local user loggs on. You can define log out scripts in your AD to remove the user from User ID using the API. This would serve to make the local user unknown, which seems to be the result that you want. Does this make sence?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!