panagent user identification problem with working groups on the active directory

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

panagent user identification problem with working groups on the active directory

L3 Networker

Hi,

i tried ad user identification with pan agent on the pa2050 box and windows2008R2.But i have some problems

for example;

i created one group which called MSN_DENY and added it 5 users like test 1,test 2,test3,test4,test5(whatever) .later i was write two security rule.

firstly deny msn traffic for MSN_DENY group(rule1),

secondly permit msn traffic for everyones(rule2).

But some users in the MSN_DENY group cannot access to msn(its natural), but someusers can access to msn?

when i check  on the pa box user ip mapping i see everythinks okey...

do u have any idea this subject?

how can i fix this problem?

regards

11 REPLIES 11

L4 Transporter

Hi,

Have you checked the monitor log? Can you see the user being identified correctly? Have you tried to apply the policy based on THAT specific user rather than the group? This can help you to isolate if it is user id problem or user group issue.

Hi,

i will try and write result

thanks

Hi again

i inspect traffic logging and discovered some interesting behavior

for example

we have 1 msn_permit group and 10-15 users

i examine one user which called mkucukoglu start session with this username "mkucukoglu" but later this username converted "kral" and lost mkucukoglu on the fw box.i attached printscreen of the log

do u have any idea.

i am stuck

Hi,

Under normal situation it should not happen.

As out agent create user to IP mapping based on AD security log, would you check with your AD log to see if there is an entry regarding that IP and user?

On Windows 2003 DC event IDs :

o 672(Authentication Ticket Granted, which occurs on the logon moment),

o 673(Service Ticket Granted)

o 674(Ticket Granted Renewed which may happen several times during the logon session)

On Windows 2008 DCs event IDs:

o 4768(Authentication Ticket Granted)

o 4769(Service Ticket Granted)

o 4770(Ticket Granted Renewed)

If there is also two entries for the same IP within a short interval, our agent is actually working as expected. And we need to find out the reason why so many users will login to the PC holding that IP. We can exclude that IP in the agent allow/ignore list if that is a server.

As best practice, in the agent allow list you should only put ips in your user subnet and put all the servers in the ignore list.

Hi and thanks again

ip is not problem as for me. actually we must examine active directory log and user computer. (but away this ip is a clients pc not a server.when i ignore this ip, same username still belong to "msn_permit" group and it cannot connect to msn.)

our agent running normal according to me but clients pcs have some problems or its run custom services...

regards

Hi,

i was examine my problem.

problem is remote desktop connection.when i connect to primary active direcoty server to different username ip-user-mapping changing

for example;

show user ip-user-mapping ip 10.10.4.205


IP address:  10.10.4.205

User:        belediye\mkucukoglu

Ident. By:   AD

Idle Timeout: 3089s

Max. TTL:    3089s

Groups that user belong to (used in policy)Group(s):    belediye\facebook_permit

                                                                               belediye\msn_permit

later remote desktop connection to active directory

show user ip-user-mapping ip 10.10.4.205


IP address:  10.10.4.205

User:        belediye\kral

Ident. By:   AD

Idle Timeout: 3089s

Max. TTL:    3089s

Groups that user belong to (used in policy)Group(s):    belediye\facebook_deny

                                                                               belediye\msn_deny

do u know any idea?

i try to ignore username(for "kral" user ) but my problem not resolved

regards

Hi,

In all cases, you should go to configure -> ignore list to put all the server IP addresses/subnet on the list. This will avoid this issue.

In your case, because a server can be accessed by many users or by the service account to run the server service, if you don't exclude the server IP from user-id, this will trigger unexpected user to ip mapping.

Hi

10.10.4.205 is a client computer nat a server.user just connect to active directory server with remote desktop via this pc.

i try ignore to kral user via pan agent and i was try ignore to servers ip but not this problem not resolv

ignore user list

belediye\kral

du u have any idea

regards

@lildeniz:

the ignore list should not contain the domain prepend.

the file should contain one user per line.

for example:

joe

mary

kral

administrator

thanks a lot

Hi,

Please ignore all server IP and service account for the server. If possible, restart the agent service at night so that you can check the result clearly in the day after the restart.

  • 4744 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!