RDP and the PAN-Agent

Showing results for 
Show  only  | Search instead for 
Did you mean: 

RDP and the PAN-Agent

L4 Transporter

I'm noticing that when a user connects to a server using RDP with a different username, the PAN-Agent is reading that username and associating it the user's computer.

For instance, a programmer named 'jdoe' connects to a web server from his PC using IP address using the username 'webadmin'. The traffic logs now read that 'webadmin' is logged on to

Is anyone else having this problem?


Hi Bryan,

I am RDP'ing to a server and not a domain controller.



Hi Bryan,

unfortunately we dont have any non-domained PCs connected in our domain.



Also experiencing the exact same behaviour!

Is there a best practice guide on how to best overcome this issue?


My only solution is to either wait for the WMI Query or have the user lock and unlock their PC.

According to some docs the following eventid's are being monitored for by the pan agent:

Win2003 DCs:




Win2008 DCs:




So I find it interresting that your eventid 4624 would have something to do with this... has the pan agent been updated to cover even the 4624 events for some odd reason?

I'm seeing the same problem.  User1 logs into PC1, then RDP's to SERVER1 as User2.  The PA then shows User2 mapped to the address of PC1.

Are you saying that if you wait log enough the WMI probing will resolve the mappings and the PA will see User2->SERVER1 and User1->PC1?

Can anyone from PaloAlto comment if this behavior was by design?   Any plans or suggestions how to address this?

L4 Transporter

This actually is an expected behavior.

Please see this document for reference:

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!