Source user not found

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Source user not found

L3 Networker

Hi there,

I have a random issue occur whereby one or two of my users seem to loose access to their internet privileges. I check on PA and it shows the traffic but no source user, which is what the rule for their internet access is based on. If we reboot their pc then it is fine again, but I just wondered what could be causing this to all of a sudden and randomally not identify their user.

I have checked and they are not running any applications with elevated permissions. So just wondered if this is something anyone else has come across or knows how to resolve?

Oh, I have a PA 2020 box and 2 User identification servers running. Both online.

7 REPLIES 7

L6 Presenter

What is your settings of the pan-agent installations you run?

Everything from TTL's to if serverlogs are being followed along with wmi query of the clients?

Hi Mikand,

My settings on my PAN-Agents are as follows.

Enabled Security Log monitor. 1 Sec

Enable Server Session Read Frequency was off but I now have it on as 10.

Enabled WMI probing

Enabled NetBIOS Probing. 1 minute Interval

Enabled User Identification Timeout 45 min

And Use SSL is the only other option ticked in my settings.

L7 Applicator

If you are using an Agent, like User-ID agent, the agent has a "timeout" period where it will timeout the user who is logged in..  (I think 45 min default), might be longer.

After this timeout, the user's ID will be unknown, and at that time you can reboot/login again, this action should tell the AD server that the account has logged back in, thus updating the user information, thus Identifying the user. But there are really 2 answers:

1. Extend the user timeout, so the user's information will be in the cache longer and they will no be logged "out".

2. Setup and configure Captive Portal, so when users who are "unknown" are then prompted.

I hope this helps.

If this does not help, please open a case with support and we can assist that way.

Have a Great Day!

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

I will try increase the timeout to see if that resolves it. Is there any harm in turning off that timeout? Ie: if someone logs on with a user with extended privileges and then logs off, then someone logs onto that pc locally, if I have turned the timeout off will they get the previous users web permissions?

As with Captive Portal, this was in use previously, but we are trying to move away from that in lieu of running our rules based on domain credentials. Hence my captive portal is currently disabled.

Your question:

"if someone logs on with a user with extended privileges and then logs off, then someone logs onto that pc locally, if I have turned the timeout off will they get the previous users web permissions?"

If the first user does not log off, then yes.

If the first logs out, then someone else logs in, there should be a system log that indicates that someone is logging in, and adjust the user info as needed.

If this is traffic on a Terminal server, where multiple people are logged into the same machine, then you would need to think about using the Terminal Services Agent.

Either way, You always want to have some level of "timeout".. be it 3-4-5 hours.. but the longer that you keep someone in the system..  As you would never want someone to be

logged into a machine for "infinity".

I can understand about Captive Portal. It makes sense.

I hope this helps!

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Another situation can be that userX is logged in but needs assistence from the support.

Support logins using RDP (through SCOM or such) as userY to remotely assist userX.

Now userY is the latest logged in to this device and suddently userX lost all its credentials in the network until the userX relogins.

Or is this handled some way today (because one ip can only have one user if im not mistaken in the userid-db)?

Yes, I have noticed that with the multi remote and when another userY logs on the currently logged on User X gets their permissions. Although I have made my own support team aware of this.

But I thought having the Client Probing set to 1 minute it means that they wouldn't have those extended permissions for very log after the userY logs off.

  • 3477 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!