Panagents and Active Directory sub-domains

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Panagents and Active Directory sub-domains

L2 Linker

We have an Active Directory domain with a sub domain- bar.org and foo.bar.org. We have 4 panagent servers, 2 dedicated to each. Our problem is that when user A.bar.org logs on, PA sometimes identifies him as user B.foo.bar.org,  with the same IP address.

I can re-create this problem by logging onto a machine first as a member of bar.org, then foo.bar.org. I suspect multiple logons to a single machine, plus short IP lease times are the issue. Is there a solution for this?

1 accepted solution

Accepted Solutions

L3 Networker

this is a current design limitation since windows does not create a log off event for us to monitor. I assume you have a pan agent for every domain since currently the pan agent can only monitor a single domain.

the reason you are running into this issue is that pan agent (bar.org) and pan agent (foo.bar.org) will retain the user to ip mapping even though the user has logged off that machine.

one work around for this is if the machines allowing WMI probing. you can enable WMI probing on the palo alto device and also lower the age-out timeout. but that can not be lower the the netbios probing timer which is also the timer for wmi.

note: you do not want this it o be to aggressive since you will be forcing the mapping to be deleted from pan agent.

I need to verify but i believe we made some enhancements for this in 4.1 which you can use a single agent for multiple domains.

View solution in original post

3 REPLIES 3

L3 Networker

this is a current design limitation since windows does not create a log off event for us to monitor. I assume you have a pan agent for every domain since currently the pan agent can only monitor a single domain.

the reason you are running into this issue is that pan agent (bar.org) and pan agent (foo.bar.org) will retain the user to ip mapping even though the user has logged off that machine.

one work around for this is if the machines allowing WMI probing. you can enable WMI probing on the palo alto device and also lower the age-out timeout. but that can not be lower the the netbios probing timer which is also the timer for wmi.

note: you do not want this it o be to aggressive since you will be forcing the mapping to be deleted from pan agent.

I need to verify but i believe we made some enhancements for this in 4.1 which you can use a single agent for multiple domains.

Thanks, that's very helpful. We do have a panagent for each domain, but we don't currently use WMI probing. I don't believe WMI or NETBIOS is enabled on our clients, but it could be for some.

I will upgrade to 4.1 and monitor, then try your suggestions.

Update- 4.1 does address this. I upgraded earlier this week, and there appears to be a positive impact. Not only can I manage the multiple domains, I can also point to Exchange servers for authentication.

Thanks for the fixes!

  • 1 accepted solution
  • 3958 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!