08-11-2011 05:14 PM
Hi,
i tried ad user identification with pan agent on the pa2050 box and windows2008R2.But i have some problems
for example;
i created one group which called MSN_DENY and added it 5 users like test 1,test 2,test3,test4,test5(whatever) .later i was write two security rule.
firstly deny msn traffic for MSN_DENY group(rule1),
secondly permit msn traffic for everyones(rule2).
But some users in the MSN_DENY group cannot access to msn(its natural), but someusers can access to msn?
when i check on the pa box user ip mapping i see everythinks okey...
do u have any idea this subject?
how can i fix this problem?
regards
08-11-2011 09:31 PM
Hi,
Have you checked the monitor log? Can you see the user being identified correctly? Have you tried to apply the policy based on THAT specific user rather than the group? This can help you to isolate if it is user id problem or user group issue.
08-12-2011 03:32 AM
Hi,
i will try and write result
thanks
08-12-2011 11:44 AM
Hi again
i inspect traffic logging and discovered some interesting behavior
for example
we have 1 msn_permit group and 10-15 users
i examine one user which called mkucukoglu start session with this username "mkucukoglu" but later this username converted "kral" and lost mkucukoglu on the fw box.i attached printscreen of the log
do u have any idea.
i am stuck
08-12-2011 10:45 PM
Hi,
Under normal situation it should not happen.
As out agent create user to IP mapping based on AD security log, would you check with your AD log to see if there is an entry regarding that IP and user?
On Windows 2003 DC event IDs :
o 672(Authentication Ticket Granted, which occurs on the logon moment),
o 673(Service Ticket Granted)
o 674(Ticket Granted Renewed which may happen several times during the logon session)
On Windows 2008 DCs event IDs:
o 4768(Authentication Ticket Granted)
o 4769(Service Ticket Granted)
o 4770(Ticket Granted Renewed)
If there is also two entries for the same IP within a short interval, our agent is actually working as expected. And we need to find out the reason why so many users will login to the PC holding that IP. We can exclude that IP in the agent allow/ignore list if that is a server.
As best practice, in the agent allow list you should only put ips in your user subnet and put all the servers in the ignore list.
08-13-2011 06:12 AM
Hi and thanks again
ip is not problem as for me. actually we must examine active directory log and user computer. (but away this ip is a clients pc not a server.when i ignore this ip, same username still belong to "msn_permit" group and it cannot connect to msn.)
our agent running normal according to me but clients pcs have some problems or its run custom services...
regards
08-23-2011 03:59 AM
Hi,
i was examine my problem.
problem is remote desktop connection.when i connect to primary active direcoty server to different username ip-user-mapping changing
for example;
show user ip-user-mapping ip 10.10.4.205
IP address: 10.10.4.205
User: belediye\mkucukoglu
Ident. By: AD
Idle Timeout: 3089s
Max. TTL: 3089s
Groups that user belong to (used in policy)Group(s): belediye\facebook_permit
belediye\msn_permit
later remote desktop connection to active directory
show user ip-user-mapping ip 10.10.4.205
IP address: 10.10.4.205
User: belediye\kral
Ident. By: AD
Idle Timeout: 3089s
Max. TTL: 3089s
Groups that user belong to (used in policy)Group(s): belediye\facebook_deny
belediye\msn_deny
do u know any idea?
i try to ignore username(for "kral" user ) but my problem not resolved
regards
08-25-2011 12:03 AM
Hi,
In all cases, you should go to configure -> ignore list to put all the server IP addresses/subnet on the list. This will avoid this issue.
In your case, because a server can be accessed by many users or by the service account to run the server service, if you don't exclude the server IP from user-id, this will trigger unexpected user to ip mapping.
08-26-2011 07:51 AM
Hi
10.10.4.205 is a client computer nat a server.user just connect to active directory server with remote desktop via this pc.
i try ignore to kral user via pan agent and i was try ignore to servers ip but not this problem not resolv
ignore user list
belediye\kral
du u have any idea
regards
08-26-2011 10:12 AM
@lildeniz:
the ignore list should not contain the domain prepend.
the file should contain one user per line.
for example:
joe
mary
kral
administrator
08-29-2011 08:35 PM
Hi,
Please ignore all server IP and service account for the server. If possible, restart the agent service at night so that you can check the result clearly in the day after the restart.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
