IP to user mapping unreliable

Reply
Highlighted
L6 Presenter

Re: IP to user mapping unreliable

@dieter:

in your pan agent config file what is the setting for <enable_full_expire>? if it is 0 change it to 1

is there a user_ip_map.txt file in the Pan Agent folder? If so delete it.

restart the PanAgent service.

do you still see the problem?

Highlighted
L4 Transporter

Re: IP to user mapping unreliable

enable_full_expire was indeed set to 0 (why is that option not on the configure dialog ?!)

The file user_ip_map.txt gets recreated shortly after restarting the panagentservice.

I will test timeout expiration now...

Highlighted
L4 Transporter

Re: IP to user mapping unreliable

Ok, the user now times out on the PAN agent.

But on the device the timeout is fixed at 3600 seconds. This means the local user who has logged on shortly after the domain user can still access the internet. And that traffic is mistakenly logged as coming from the domain user.

Highlighted
L3 Networker

Re: IP to user mapping unreliable

See you got some help regarding your idle/expire timers.

I agree that monitoring security logs solely never will identify users 100% correctly. You might get close to 100% depending on your network and you configuration. The main reasons for this being:


A)    PAN-agent does not monitor logoff events. I’m not even sure DC’s default log those types of events.


B)    PAN-devices rely on timers and/or wmi/nebios probing to speed up expiration of old ip-user mappings.


C)    Palo doesn’t have an agent solution that can be installed on the client to pickup logon/logoff events and report these events on the fly to a “PAN-client-service” or whatever you want to call it.

Picking up client local logon events on the other hand would only be interesting if those types of logons resulted in the user was re-labeled as “unknown”. That way we can choose to deal with them as unknown users, have them logon in the domain again or use captive portal. Then again, this would require some sort of agent on the client.

Highlighted
L4 Transporter

Re: IP to user mapping unreliable

This undermines one of the most important features PaloAlto advertises: http://www.paloaltonetworks.com/technology/user-id.html

Highlighted
L3 Networker

Re: IP to user mapping unreliable

Well, that is one way to look at it. As I mentioned before it is likley we don't know 100% of the users 100% of the time. In a Windows environment local client users are a bit of a hazzle. Then again, how many of us allow "avarage Joe" to logon locally? In most cases nearly all users are in our directory.

I don't know how the LDAP-agent works with e-Directory as Novell saves both logon/logoff events in the directory as well as the client IP. In theory it would be easier to keep track of these users... but.....

...users were born to make our lives a living hell :smileywink: They shut off the PC's without logging off, hibernate the PC, etc.

100% correct 100% of the time is tough, but there is room for improvement no doubt.

Good Luck!

Highlighted
L4 Transporter

Re: IP to user mapping unreliable

If you require absolute to the second 100% information on a user - this will need s/w on the client.  For this you have a couple of options:

1.  Use a combination of 802.1x supplicants and 802.1x Network.  Then use RADIUS messages from 802.1x over EAP, for example, to hook into our User-ID XML-API.  You'll get log on and off here.

2.  PAN-OS 4.0 will give you client s/w that can be distributed to get to the desired results for User-ID.

Best Regards

James

Highlighted
L4 Transporter

Re: IP to user mapping unreliable

Like you said: most users are in our active directory. That's because we want to make sure the user is allowed/forbidden access to certain resources. I consider AD authentication very reliable. The only time it fails is when users give their passwords to others, but that is not my responsability anymore.

Until further notice I consider User ID not reliable, but it is my responsability to make sure unauthenticated user can't browse the internet.

I'm having my reseller escalate the issue to the local PA office.

Highlighted
L2 Linker

Re: IP to user mapping unreliable

Hi Dieter,

The real problem we are hitting here is that you have non domain users as well as domain users and our current design has no real support for local users. If you were having multiple domain users use the sytem, the new log in events would update and all would be well. Instead what happens is there is no event that we track occuring when the local user loggs on. You can define log out scripts in your AD to remove the user from User ID using the API. This would serve to make the local user unknown, which seems to be the result that you want. Does this make sence?

Nick

Highlighted
L4 Transporter

Re: IP to user mapping unreliable

Does make sense, but as far as I know, the PAN agents don't collect log out events.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!