cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RDP and the PAN-Agent

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
bhavin_bhatt
Not applicable
‎07-04-2011 12:00 AM
‎07-04-2011 12:00 AM

Hi James,

the workstation and its ip address are being associated with the local login as well as the ad login credentials used to rdp to other servers.

This confuses the palo alto while deciding which user to associate the ip address to...the correct policy does not match for the user in question.

cheers

0 Likes
Reply
mharding
L4 Transporter
‎07-05-2011 06:41 AM
‎07-05-2011 06:41 AM

My solution was to exclude the subnet our servers were on. May not be viable for everyone.

0 Likes
Reply
mrajdev
L4 Transporter
‎07-05-2011 06:51 AM
‎07-05-2011 06:51 AM

Bhavin,

The server account which you use to login during an RDP session is it part of domain administrator account? If yes then can you please try an account which is not part of domain adminstrator and see if the PC retains it original user id and IP address.

Thanks

0 Likes
Reply
bhavin_bhatt
Not applicable
‎07-05-2011 07:09 AM
‎07-05-2011 07:09 AM

Hi mrajdev,

thanks for the response, i am afraid the usernames are part of the domain and unfortunately, in our environment, non-domained usernames are not permitted, is there any other solutions ?

i was thinking of ignoring the admin ad users on pan-agent and use the sys admins ip addresses in the policies, not a very smart solution, but am still in search of a better solution to this problem.

Cheers

Bhav

0 Likes
Reply
bryan
L3 Networker
‎07-05-2011 08:41 PM
‎07-05-2011 08:41 PM

Hello Bhav,


When this issue occurs, are you logging on via RDP to a Domain Controller? If so, can you attempt to logon via RDP to another Server/Workstation (Non-DC) & confirm whether the original User-ID mappings on both machines are retained?


Thanks,


Bryan

0 Likes
Reply
bhavin_bhatt
Not applicable
‎07-06-2011 03:20 AM
‎07-06-2011 03:20 AM

Hi Bryan,

I am RDP'ing to a server and not a domain controller.

Cheers

Bhav

0 Likes
Reply
bhavin_bhatt
Not applicable
‎07-06-2011 03:22 AM
‎07-06-2011 03:22 AM

Hi Bryan,

unfortunately we dont have any non-domained PCs connected in our domain.

Cheers

Bhavin

0 Likes
Reply
bjackson
L2 Linker
‎07-31-2012 07:19 PM
‎07-31-2012 07:19 PM

Also experiencing the exact same behaviour!

Is there a best practice guide on how to best overcome this issue?

Thanks

0 Likes
Reply
mharding
L4 Transporter
‎08-01-2012 07:37 AM
‎08-01-2012 07:37 AM

My only solution is to either wait for the WMI Query or have the user lock and unlock their PC.

0 Likes
Reply
mikand
L6 Presenter
‎08-07-2012 03:32 AM
‎08-07-2012 03:32 AM

According to some docs the following eventid's are being monitored for by the pan agent:

Win2003 DCs:

672

673

674

Win2008 DCs:

4768

4769

4770

So I find it interresting that your eventid 4624 would have something to do with this... has the pan agent been updated to cover even the 4624 events for some odd reason?

Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks