When I configured authentication on PaloAlto I met the problem:
I tested authentication on PaloAlto:
- 1 Domain Server: installed PAN Agent
- 2 pc join domain
- Create some accounts: user1, user2, user3
1> I logon with domain user (user1), I can access Internet and in Monitor Tab I can see my pc had been authenticated (user_domain.png)
2> I logout and login again with local user (cloud), I still can access Internet (user_Local.png) although I set policy deny all except user1, user2 (policy.png)
3> If I changed IP Address from 172.16.1.71 to 172.16.1.76, I couldn’t access Internet but If I changed IP Address to 172.16.1.71, I still access Internet.
- I want only domain user can access Internet but local user, PaloAlto can do or not?
- I think PaloAlto cached the IP Address to define Account Domain so when I logon with local user with old IP Address, I still access Internet. If I right, how long PaloAlto will clear cache? Can I change the time to clear?
- I used PC1 to access Internet with user1 but I still could used PC2 to access Internet with user1. PC1 and PC2 could access Internet in the same time with the same user. Can I configure PaloAlto allow only one user to access Internet?
The PANAgent is looking for users logged into the domain and won't detect if a user is changed to "local." As long as that IP remains active, the PANAgent thinks the original domain user is logged in. Even when using Netbios probing, the original domain login is chached (even if actually logged out) on the workstation and the Panagent will continue to see the original domain login. 3.1 may be an option for you as it will allow you to use WMI instead of Netbios and user activity will be correctly read.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!