the workstation and its ip address are being associated with the local login as well as the ad login credentials used to rdp to other servers.
This confuses the palo alto while deciding which user to associate the ip address to...the correct policy does not match for the user in question.
The server account which you use to login during an RDP session is it part of domain administrator account? If yes then can you please try an account which is not part of domain adminstrator and see if the PC retains it original user id and IP address.
thanks for the response, i am afraid the usernames are part of the domain and unfortunately, in our environment, non-domained usernames are not permitted, is there any other solutions ?
i was thinking of ignoring the admin ad users on pan-agent and use the sys admins ip addresses in the policies, not a very smart solution, but am still in search of a better solution to this problem.
When this issue occurs, are you logging on via RDP to a Domain Controller? If so, can you attempt to logon via RDP to another Server/Workstation (Non-DC) & confirm whether the original User-ID mappings on both machines are retained?
According to some docs the following eventid's are being monitored for by the pan agent:
So I find it interresting that your eventid 4624 would have something to do with this... has the pan agent been updated to cover even the 4624 events for some odd reason?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!