RDP and the PAN-Agent

Reply
bhavin_bhatt
Not applicable

Hi James,

the workstation and its ip address are being associated with the local login as well as the ad login credentials used to rdp to other servers.

This confuses the palo alto while deciding which user to associate the ip address to...the correct policy does not match for the user in question.

cheers

mharding
L4 Transporter

My solution was to exclude the subnet our servers were on. May not be viable for everyone.

mrajdev
L4 Transporter

Bhavin,

The server account which you use to login during an RDP session is it part of domain administrator account? If yes then can you please try an account which is not part of domain adminstrator and see if the PC retains it original user id and IP address.

Thanks

bhavin_bhatt
Not applicable

Hi mrajdev,

thanks for the response, i am afraid the usernames are part of the domain and unfortunately, in our environment, non-domained usernames are not permitted, is there any other solutions ?

i was thinking of ignoring the admin ad users on pan-agent and use the sys admins ip addresses in the policies, not a very smart solution, but am still in search of a better solution to this problem.

Cheers

Bhav

bryan
L3 Networker

Hello Bhav,


When this issue occurs, are you logging on via RDP to a Domain Controller? If so, can you attempt to logon via RDP to another Server/Workstation (Non-DC) & confirm whether the original User-ID mappings on both machines are retained?


Thanks,


Bryan

bhavin_bhatt
Not applicable

Hi Bryan,

I am RDP'ing to a server and not a domain controller.

Cheers

Bhav

bhavin_bhatt
Not applicable

Hi Bryan,

unfortunately we dont have any non-domained PCs connected in our domain.

Cheers

Bhavin

bjackson
L2 Linker

Also experiencing the exact same behaviour!

Is there a best practice guide on how to best overcome this issue?

Thanks

mharding
L4 Transporter

My only solution is to either wait for the WMI Query or have the user lock and unlock their PC.

mikand
L6 Presenter

According to some docs the following eventid's are being monitored for by the pan agent:

Win2003 DCs:

672

673

674

Win2008 DCs:

4768

4769

4770

So I find it interresting that your eventid 4624 would have something to do with this... has the pan agent been updated to cover even the 4624 events for some odd reason?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!