PaloAlto integrate with AD
cancel
Showing results for 
Search instead for 
Did you mean: 

PaloAlto integrate with AD

Not applicable

When I configured authentication on  PaloAlto I met the problem:

I tested authentication on  PaloAlto:

- 1 Domain Server: installed PAN Agent

- 2 pc join  domain

- Create some accounts: user1,  user2, user3

1> I logon with domain user  (user1), I can access Internet and in Monitor Tab I can see my pc had been  authenticated (user_domain.png)

2> I logout and login again with  local user (cloud), I still can access Internet (user_Local.png) although I set  policy deny all except user1, user2 (policy.png)

3> If I changed IP Address from  172.16.1.71 to 172.16.1.76, I couldn’t access Internet but If I changed IP  Address to 172.16.1.71, I still access Internet.

-      I want only domain user can access  Internet but local user, PaloAlto can do or not?

-      I think PaloAlto cached the IP  Address to define Account Domain so when I logon with local user with old IP  Address, I still access Internet. If I right, how long PaloAlto will clear  cache? Can I change the time to clear?

-      I used PC1 to access Internet with  user1 but I still could  used PC2 to access Internet with user1. PC1 and PC2  could access Internet in the same time with the same user. Can I configure  PaloAlto allow only one user to access Internet?

1 REPLY 1

L5 Sessionator

The PANAgent is looking for users logged into the domain and won't detect if a user is changed to "local."  As long as that IP remains active, the PANAgent thinks the original domain user is logged in. Even when using Netbios probing, the original domain login is chached (even if actually logged out) on the workstation and the Panagent will continue to see the original domain login.    3.1 may be an option for you as it will allow you to use WMI instead of Netbios and user activity will be correctly read.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!