This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

RDP and the PAN-Agent

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

RDP and the PAN-Agent

mharding
L4 Transporter

‎02-01-2011 09:21 AM

I'm noticing that when a user connects to a server using RDP with a different username, the PAN-Agent is reading that username and associating it the user's computer.

For instance, a programmer named 'jdoe' connects to a web server from his PC using IP address 172.16.3.3 using the username 'webadmin'. The traffic logs now read that 'webadmin' is logged on to 172.16.3.3.

Is anyone else having this problem?

0 Likes Likes
21 REPLIES 21

bhavin_bhatt
Not applicable
In response to bryan

‎07-06-2011 03:20 AM

Hi Bryan,

I am RDP'ing to a server and not a domain controller.

Cheers

Bhav

0 Likes Likes

bhavin_bhatt
Not applicable
In response to bryan

‎07-06-2011 03:22 AM

Hi Bryan,

unfortunately we dont have any non-domained PCs connected in our domain.

Cheers

Bhavin

0 Likes Likes

bjackson
L2 Linker
In response to bhavin_bhatt

‎07-31-2012 07:19 PM

Also experiencing the exact same behaviour!

Is there a best practice guide on how to best overcome this issue?

Thanks

0 Likes Likes

mharding
L4 Transporter
In response to bjackson

‎08-01-2012 07:37 AM

My only solution is to either wait for the WMI Query or have the user lock and unlock their PC.

0 Likes Likes

mikand
L6 Presenter
In response to mharding

‎08-07-2012 03:32 AM

According to some docs the following eventid's are being monitored for by the pan agent:

Win2003 DCs:

672

673

674

Win2008 DCs:

4768

4769

4770

So I find it interresting that your eventid 4624 would have something to do with this... has the pan agent been updated to cover even the 4624 events for some odd reason?

Expo83074
L0 Member
In response to bpappas

‎12-11-2012 05:32 PM

I'm seeing the same problem.  User1 logs into PC1, then RDP's to SERVER1 as User2.  The PA then shows User2 mapped to the address of PC1.

Are you saying that if you wait log enough the WMI probing will resolve the mappings and the PA will see User2->SERVER1 and User1->PC1?

Can anyone from PaloAlto comment if this behavior was by design?   Any plans or suggestions how to address this?

0 Likes Likes

apasupulati
L4 Transporter

‎12-26-2012 05:13 PM

This actually is an expected behavior.

Please see this document for reference:

  • 9113 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks