Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-17-2013 07:53 AM
I have a question. Maybe someone has run across this.
I am using the server monitoring function of Palo
I realize that I can use the user-ID agent and set it to never forget the user mapping, but I am looking for a more accurate way of keeping this mapping.
We have mac's that authenticate to a win 2008 domain. Initially I get the user to ip mapping, after the Palo cache expires the mapping is lost. Mac's do not auto update the cache.
My windows machines work normally, The initial mapping is correct and if I use any network resources the user mapping gets updated in Palo.
Any idea's, suggestions, etc
-Joe
06-18-2013 11:09 AM
If you access to a windows share (part of domain) for sure, you need authentication.
Try to ad your file server as server in the User-ID client.
I know that the user-ID is able to minotor AD / Exchnage / File server then try that.
V.
06-17-2013 10:06 AM
Hi,
When you are using windows machine in AD, you open a session and then after that, periodically, your session is renewed in the AD.
The palo is polling your security event and see, ever you new session and your renew then update is local cahe then you stay authenticated.
In Mac world, not sure but , you open a session in AD then generate event then be authen in the palo. After couple of minutes, maybe your Mac doon't ask for session renew then no event in the AD then your authenti expire in the palo.. If you try to access a network ressource, in background you are authenticate again in the domain then you are known by the palo.
To be sure, you can check the event in your AD:
Windows 2000/2003:
SUCCESS_NET_LOGON = 540,
AUTH_TICKET_GRANTED = 672,
SERVICE_TICKET_GRANTED = 673,
TICKET_GRANTED_RENEW = 674,
ACCOUNT_USED_FOR_LOGON = 680,
Windows 2008:
LOGON_SUCCESS_W2008 = 4624,
AUTH_TICKET_GRANTED_W2008 = 4768,
TICKET_GRANTED_RENEW_W2008 = 4770,
ACCOUNT_USED_FOR_LOGON_W2008 = 4776,
Hope help
V.
06-17-2013 10:57 AM
I agree that is whats happening, except when I use a network resource with the mac, it never creates a new security log.
The resource (mapped share, printer, etc) do work on the mac, but i do not see any security logs being renewed..
I did a custom filter on AD log for the mentioned ID events
-Joe
06-18-2013 11:09 AM
If you access to a windows share (part of domain) for sure, you need authentication.
Try to ad your file server as server in the User-ID client.
I know that the user-ID is able to minotor AD / Exchnage / File server then try that.
V.
06-18-2013 11:41 AM
Great idea, after an initial check this might just work. I was only monitoring my domain controllers. I do see more activity on the specific server for logon request coming from my mac.I will update this tomorrow.... 
06-24-2013 05:33 AM
Sorry about the delay int getting back to you Vince, been getting slammed here.
It looks like monitoring the servers did the trick. Thanks for the suggestion.
Cheers
-Joe
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
