RDP and the PAN-Agent

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

RDP and the PAN-Agent

L4 Transporter

I'm noticing that when a user connects to a server using RDP with a different username, the PAN-Agent is reading that username and associating it the user's computer.

For instance, a programmer named 'jdoe' connects to a web server from his PC using IP address 172.16.3.3 using the username 'webadmin'. The traffic logs now read that 'webadmin' is logged on to 172.16.3.3.

Is anyone else having this problem?

21 REPLIES 21

Hi Bryan,

I am RDP'ing to a server and not a domain controller.

Cheers

Bhav

Hi Bryan,

unfortunately we dont have any non-domained PCs connected in our domain.

Cheers

Bhavin

Also experiencing the exact same behaviour!

Is there a best practice guide on how to best overcome this issue?

Thanks

My only solution is to either wait for the WMI Query or have the user lock and unlock their PC.

According to some docs the following eventid's are being monitored for by the pan agent:

Win2003 DCs:

672

673

674

Win2008 DCs:

4768

4769

4770

So I find it interresting that your eventid 4624 would have something to do with this... has the pan agent been updated to cover even the 4624 events for some odd reason?

I'm seeing the same problem.  User1 logs into PC1, then RDP's to SERVER1 as User2.  The PA then shows User2 mapped to the address of PC1.

Are you saying that if you wait log enough the WMI probing will resolve the mappings and the PA will see User2->SERVER1 and User1->PC1?

Can anyone from PaloAlto comment if this behavior was by design?   Any plans or suggestions how to address this?

L4 Transporter

This actually is an expected behavior.

Please see this document for reference:

  • 7712 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!