03-20-2014 08:06 AM
Hey there,
I am glad to join this community and and excited to work with these new age firewalls.
To keep this question short and sweet, we have to PA-500's and are using GlobalProtect for VPN, and it works awesome! However, I did not set it up, but did take over his recent position.
Now from my reading on the GlobalProtect set-up I understand the Portal, to gateways, and the different authentication methods. We are using AD authentication to keep SSO going in our corporation.
Now we set up the authentication agent on a Windows Server 2008 R2 server acting as our internal CA. From my reading it does either WMI or NetBIOS probing, since we are moving into an all 2008 forest level shortly and will be removing our last 2003 DC. I do not want to use NetBIOS at all.
It would appear that its suppose to WMI probe IP that are tryin to connect to VPN, or at least this is my current understanding.
The issue:
We have a monitoring server set up (running Zenoss) and I noticed I forgot to add the Ca to be monitored, once added, It was quickly apparent there was non stop Event ID 10009 - DCOM errors. To which I created a technet post, and a very kind person told me to do a clean boot test and enable services in halfs to narrow down the culprit... it ended up being the User-ID Agent for the Palo Alto VPN authentication. Within 3 months it has generated over 160k events... its flooding the event log..
I noticed the probes are going to every device in our network (iPhones, S4's, Network printers, gateways, switches etc...)
Anyone have any idea why this could be happening, and any thoughts on if I could change it to a passive style probing instead of active? to maybe help out, or is WMI probing even needed for VPN to work?
Thanks in advance!
03-20-2014 09:22 AM
Hi
the PA firewall ask to the agent to resolve ip source that the fw doesn't know. and if the agent didn't know the ip addresse it will initiate a probing action by wmi or netbios depend of the activation choice.
it why your printer and othe device are probing.
to stop the probing on this device you have to declare their ip as exclude ip list in the zone object where you activate the user identication function and where this device are allocated.
may be this is more clear now
03-20-2014 08:37 AM
Hi if you don't want to probing by netbios you could used wmi probing but you need special right to to do that
you may used this
PowerShell Script for setting WMI Permissions
but if the user is known by the agent you wmi probing will not work
User-ID Does Not Send WMI Probes for Known IP Addresses
by
03-20-2014 08:52 AM
Hey, Thanks I really appreciate an answer, but that doesn't really explain or answer my issue.
Like why is it probing all these random IP addresses? phones, printers, gateways... something doesn't seem right about that.
and the other question is still unanswered, is WMI-probing, or probing in general required.
From my reading threes a passive style probing and an active style probing, this seem to be doing an active style probing. From my reading on Palo Alto PDFs on it, it didn't provde details steps on how to go from passive/active style probing, or how to change any settings on the client running the User-ID agent. Any links to more detail steps on how to configure the agent would be nice.
Thanks again for the links, I'll still review them in hopes something else might be made clear that I was not sure about before.
03-20-2014 09:22 AM
Hi
the PA firewall ask to the agent to resolve ip source that the fw doesn't know. and if the agent didn't know the ip addresse it will initiate a probing action by wmi or netbios depend of the activation choice.
it why your printer and othe device are probing.
to stop the probing on this device you have to declare their ip as exclude ip list in the zone object where you activate the user identication function and where this device are allocated.
may be this is more clear now
03-20-2014 09:42 AM
Thanks, it clears things up a bit...
When you state it asks the agent about IPs it doesn't know, what does it need to know, like a reverse nslookup? what information about the IP address does the PA need to know, and why? and its requests info on all IP's of packets it receives?
In our network, all user based traffic is routed directly in the core section of our network, and doesn't hit the PA's, the PA's acting as a FW for both a DMZ VLAN and all other internal networks and to the internet. So what I'll do is check up on these exclude IP address in the Zones. If I have to specify each IP manually it will be a pain, and considering that alot of teh iPhone, and mobile devices get new ip address if they leave past the DHCP lease time.
Thanks so much for helping clearify whats going on, and steps I can take to help make my servers cleaner. Kudos!
03-20-2014 10:52 AM
Hi Zewwy,
Palo Alto tries to map IP address of all the traffic ingressing a zone in which 'Enable User Identification' is checked, to a user.
By using 'Enable User Identification', you are asking PA to look-up usernames for all the IP addresses it sees in traffic.
You have both include and exclude list option available, and adding entire subnet or subnet range to the exclude list is also permitted.
Hope that helps.
03-20-2014 12:49 PM
Ohh that's right! I remember the command it was using that one can run on cmp...wmic /node:remotecomputer computersystem get username... i totally forgot about that!
From this PDF...
I donèt know why this site is crossing out my hyperlink considering its from this very domain....
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
