IP to user mapping unreliable

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IP to user mapping unreliable

L4 Transporter

Situation: PC connected to our domain. Domain users log on to it. Domain users have internet access.

The same PC is used for assessments. These (external) users log on with a local user account (not known as a domain user). These users are not allowed to have internet access.

If a domain user has logged on to the PC, the IP is mapped to the user. If the domain user logs off, the IP mapping remains (until timeout). If in the meantime a local user logs on, he/she has full internet access.

This posed two severe problems:

1. Traffic coming from that PC is mistakenly logged as coming from that user.

2. Policies for denying applications based on user don't work.

How can I make the device reliably identify users and allow/deny applications ?

32 REPLIES 32

Well, that is one way to look at it. As I mentioned before it is likley we don't know 100% of the users 100% of the time. In a Windows environment local client users are a bit of a hazzle. Then again, how many of us allow "avarage Joe" to logon locally? In most cases nearly all users are in our directory.

I don't know how the LDAP-agent works with e-Directory as Novell saves both logon/logoff events in the directory as well as the client IP. In theory it would be easier to keep track of these users... but.....

...users were born to make our lives a living hell Smiley Wink They shut off the PC's without logging off, hibernate the PC, etc.

100% correct 100% of the time is tough, but there is room for improvement no doubt.

Good Luck!

If you require absolute to the second 100% information on a user - this will need s/w on the client.  For this you have a couple of options:

1.  Use a combination of 802.1x supplicants and 802.1x Network.  Then use RADIUS messages from 802.1x over EAP, for example, to hook into our User-ID XML-API.  You'll get log on and off here.

2.  PAN-OS 4.0 will give you client s/w that can be distributed to get to the desired results for User-ID.

Best Regards

James

Like you said: most users are in our active directory. That's because we want to make sure the user is allowed/forbidden access to certain resources. I consider AD authentication very reliable. The only time it fails is when users give their passwords to others, but that is not my responsability anymore.

Until further notice I consider User ID not reliable, but it is my responsability to make sure unauthenticated user can't browse the internet.

I'm having my reseller escalate the issue to the local PA office.

Hi Dieter,

The real problem we are hitting here is that you have non domain users as well as domain users and our current design has no real support for local users. If you were having multiple domain users use the sytem, the new log in events would update and all would be well. Instead what happens is there is no event that we track occuring when the local user loggs on. You can define log out scripts in your AD to remove the user from User ID using the API. This would serve to make the local user unknown, which seems to be the result that you want. Does this make sence?

Nick

Does make sense, but as far as I know, the PAN agents don't collect log out events.

You are correct. That is why I would use the User ID API with a Log Out script to force the removal of the IP mapping. (https://live.paloaltonetworks.com/docs/DOC-1348). In this way we can create our own log out event....

A nice thought James, but when using 802.1x you don't even have an IP-address when you authenticate. In most 802.1x implementations I have seen or been involved in "x" is used to place authed users on a specific VLANs for that user/group. Admittance based on client security posture is another reason for using it.

You are correct, but an IP Address is requested and given - depending on your implementation (granted) all this information will be in the RADIUS server.  Otherwise, you may have some correlation work to do with a DHCP server.

Thanks

James

Has this been done before ? I don't know the API, so I have no idea how difficult/easy this would be to implement.

Hi,

We had a similar issue and the below fixed this for us.

Have you tried disabling the cache on the Palo Agent? it is in the configure part of the agent and it is called "Enable Group Cache" untick that and delete the user_ip_map.txt file in the Pan Agent folder, then restart the service. I have attached a screen shot of the setting also.

Haven't tried that, but there's still the issue with the long timeout on the PA device...

Hi All,

Just to share our feedback about user-id feature, there are mainly two items to deal with :

- When you are using fixed PCs using your AD domain : it's quite simple, because IPs won't often change, but you have to deal with multi-users computers.

- When you are using laptop, even if AD agent is efficient, you won't be able to have a real time userID-IP association ( when IP have changed ).

Within my company, we deal with these two issues by using the XML/API agent. We deploy a piece of code which communicates with the API agent. Now life is great . We have 80 000 PCs in which 45000 are laptop, we are able to recognize who is behind each IP within 10 to 15s.:smileycool:

The Palo Alto UserID feature is really great, but you have some work to do to take full advantage of it. I think release 4 will bring some more integrated features, but at the moment the system is quite open.

It has changed the way we provide security.

PS : this information is intended to stay in this private forum within Palo Alto, no public communication, thanks.

L3 Networker

Having exactly the same issues. In this case it is a single AD box with multiple AD users. Cannot disable the user ID cache since they have multiple remote sites – the probing etc will overwhelm the WAN links.


The API/XML script seems like a great solution but not a commercially and economically feasible solution. Pushes up costs of deploying Palo since custom dev work must be done to get it going…


Would anybody mind sharing their API/XML solution to fix this issue in the meanwhile? Hopefully Palo will implement a function whereby the PAN agent can read the security logs for logoff events directly. (not too sure why it does not in the first place?)

Hi Quinton,

Windows logoff events are less common then you may think. Most laptop users will just sleep or hibernate when they are leaving, neither of which creates the desired event.

With the current version of the user agent the only areas we still have some issues are in high turn over wireless networks where IP's are quickly recycled and reassigned. This is where the API comes in handy. Take a look at for an example of how to set it up. Modification of the scripts are not terribly complex and we are happy to help you out with it on the .

I am happy to get into more details on any of your concerns here, just let me know what they are.

Nick

Hi Nick

Thanks for the offer. Just an update, the issue is resolved. Turns out that WMI/NetBIOS probing is potent enough to build a more or less complete IP to user mapping table. So my initial thoughts were that all is working as expected and the issue must be something else. The problem was that the customer did not add any "include" networks in the PAN agent, only exclude networks. Upon closer inspection in the PAN agent logs I found the agent logging that IP x is not in the include list. Adding all the subnets to the PAN agent fixed all the issues experienced at this site with PAN agent – even the issue with multiple users logging onto a single PC was fixed. The IP to user mapping on the PAN firewall is updated almost instantaneously.

Thanks for the help

  • 12519 Views
  • 32 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!