Permanently cached user to IP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Permanently cached user to IP

Not applicable

Did a search, but nothing seems to answer my question:

I would like input from more knowledgable folks on the problem described - the permanent caching of a "good" account on computers that are kiosk mode and logged in with "ignored" accounts.  See example below:

PC Kiosk1  and AD domain account "ignored1" set to ignore (via AD group memership and adding that group in User agent as ignore group), therefore can force a captive portal authentication to ensure appropriate access of web is given to whomeever may use that PC for Internet access (without logging in/out of the PC itself). PC support tech JDOE logs in to PC (CTL-ALT-DEL, login, etc..) does his thing and logs out. IGnored1 account is used to login but now all Intenet activity from that PC and the Intenet access permissions are the ones that JDOE had. The IP to user cache for KIOSK1 is not cleared out.

I know that enabling WMI/NetBios polling will fix this, but it creates additional network traffic. Due to our large environment (over 6000 PCs) I am a bit leary of turning it on. Does anyone know the approximate traffic for one (1) WMI/Netbios poll?

Any alternate solutions to this problem? Is there a way to clear out the cache on the PAN Agent side? Clearing it from the PAN device does not do anything.

Thanks!

John

8 REPLIES 8

Cyber Elite
Cyber Elite

Hi John

If netbios/WMI polling is undesirable you could go ahead and change some of the timeout parameters to better suit your environment, then go into the panagent config (config.xml) file and change the "enable-full-expire" setting to 1. This will ensure stale logins are removed from the database once the "timeout" is hit.

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

So does that affect only Captive Portal authentication or all authenticated people (including "transparent")? The desire is to clear out the authentication from these "generic" kiosk machines only. We have machines that people log into with their personal accounts and do not want those to be prompted for captive portal

I want to make sure I understand what the setting does prior to making a change. I found a a document, but it doesnt explain much of anything. (https://live.paloaltonetworks.com/docs/DOC-1233).  What exactly does the "Age-Out Timeout" value affect?

Hi

The age-out timeout kicks in when a user was detected as logged in by a security event or netbios probe and does not trigger any other events to "refresh" his session for an amount of time equal to the number set in age-out timeout after which the user-IP pair is timed out (deleted from db if full-expire is enabled).

The options affect all users in the panagent db, users picked up by captive portal are stored on the PaloAlto locally and are not purged by panagent options (unless the IP gets picked up by panagent for that or a different user, then it is overwritten)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Huh ok. It seems my problem is two fold then. I have machines (personal PCs) that people log in with user id's that are members of AD groups that are in the "filter group" Panagent setup (auto populates from DC IP to userid correlation and applies appropriate filtering permissions). I also have machines (kiosk PCs) that are logged in with user ids that are members of an AD group that is listed as an "ignored" list in Panagent (captive portal prompts for a user id and password).

When a filtered user id is used to log in, and then an ignored user is used, it permanently caches the "filtered" user id and does not prompt for captive portal anymore. I've tried manually clearing these entries out via CLI (clear user-cache ...... etc) but it does not clear the user to ip address correlation.

What you're saying is that the enable full expire, if set to 1, will clear out the user to ip caching from the pan agent listing if no internet activity is seen from that specific IP.

I guess my questions are:

     1. How can I make sure that filtered people who are transperantly authenticated via DC security events (PanAgent) on computers that are typically logged in with "ignored" accounts have their cached items removed once they log out of the kiosk PC?

     2. How can I make my manual clear commands for specific user to specific ip cache via CLI actually work (they currently dont)?

     3. Will the enable full expire set 1 cause any problems with people logged in to their personal PC's? What will they get if they leave a machine logged in but with no internet activity within xx amount of time?

     4. If enabling NetBios/WMI polling is the only "sure" fix for this, what sort of network usage load are we talking about? It's a single Panagent device for the complete domain with about 6000 computers.

bump.

L3 Networker

1. You will need to have net-bios or wmi probing enabled or you will need to modify the configuration file and change the full expire to 1 if you have netbios/wmi disabled.

2. jnguyen@lab-58-PA500> clear user-cache ip
  <ip/netmask>  <ip/netmask>

3. if you have full expire enabled without netbios and wmi. if a user is logged in but has not generate another event they will be removed from the user ip table. until they generate another event they will be unknown.

4. you will need to make sure the machines are allowing netbios/wmi enabled for the pan agent to probe them or you may run into issues with them switching to unknown.

Well - here's a doozy. Some additional questions:

1. Enabled WMI/NetBios probing for testing but I still have an IP to user id mapping that I know is incorrect and yet it's still not clearing it out. It's been set to enabled for over 3 hours - so the 20 minute timeout has come and gone several times. Additionally, I've got user-to-ip mappings going to _unknown_ when I know they are good. Is this due to failed netbios probes? I've been assured that any firewall software is disabled and wmi/netbios is enabled on the computers, but the log file on the PAN agent still shows a fail.

2 I thought that when WMI was enabled it would remove all the user to ip correlations it could not verify - and it's removing some it cant verify due to these failed probes I guess, but it's leaving a ton that I know are supposed to have failed because their's nothing using the ip's (failed pings).

3. If WMI polling is disabled, the enable full expire in the XML is set to 1, and age-out timeout is set to larger than 600 minutes (660?) to allow for windows re-auth, what type of event will cause the timeout value to re-start? Is it internet activity or some sort of native windows action?

4. If the items in point 3 (above) work, how will the reauthentication of an "ignored" account cause the incorrect user-to-ip mapping to flush out?

You should open a case with support to resolve this issue. This sounds too complicated for a forum discussion or email.

Steve Krall

  • 3628 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!