TS Agent 6.0.3 on Windows Server 2012

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

TS Agent 6.0.3 on Windows Server 2012

L2 Linker

Hi all,

this is my environment:

PA3020 PANOS 6.0.2

3 Terminal Servers running on Windows Server 2012 R2 Datacencer, each one having PA TS Agent 6.0.3-8 onboard.

Documentation states that Windows Server 2012 is supported by TS Agent starting from 6.0.2, it's been a very long time I was waiting for this, till now I've tried previous versions of TS Agent in compatibility mode but the issue was that logged-in user traffic was generated from System Source Port Allocation Range instead Source Port Allocation Range althoug logged-in users were apparently assigned with correct source port ranges.

Now that I moved to TS agent 6.0.3 I was hoping to solve but I'm in the very same situation: logged-in user traffic is being generated from System Source Port Allocation Range instead User Source Port Allocation Range

Let's have a look to my TS agent configuration

It should be as best practice is suggesting.

And here you can see the correct user-portrange mappings

Unfortunately only a little bit of logged-in user traffic comes out from assigned port ranges, but most of all it comes from system allocated ports

I've successfully shrinked the System Port Allocation Range with commands netsh int <ipv4|ipv6> set dynamic <tcp|udp> start=number num=range hoping it'll have reduced the chance the traffic would be sourced from those ports but still no way to obtain the purpose and most of sessions originate from system range...
Please note that none of the users are logged in with /admin option.

Is there anything missing/wrong?

Thank You

13 REPLIES 13

L4 Transporter

Hello

While we investigate why the ports are showing up as the system source ports rather than the user source ports, could you please confirm one thing: do you have User Identification enabled on the zone this traffic comes in on? This might explain the "empty" field you see for source user.

Also, what is the version of the PAN OS on the firewall? Also, is this happening on the GUI only, or do you find that the CLI also reports the same incorrect info for the ports and shows no users for the source user?

Hi, yes sorry not to have specified, "lan" zone you can see in the traffic log has already user-identification enabled, all UID Agent mappings are working and all traffic is seen as "user traffic" and not simple ip traffic.

The reason why a say "most of traffic coming from terminal servers" is that a tiny little bit of it is seen with user information, but all the rest is with empty user, let's say 99%...

Hope it helps

What is the version of the PAN OS on the firewall? Also, is this happening on the GUI only, or do you find that the CLI also reports the same incorrect info for the ports and shows no users for the source user?

PANOS is 6.0.2

As for the cli, if mean the show user ip-port-user-mapping all command, yes it shows the same mappings.

TS-Agent 172.30.2.121

Vsys 1, Flag 3

Port range: 20000 - 57499

Port size: start 400; max 4000

Block count 94, port count 37500

20000-20399: ********\******

22800-23199: ********\******

23600-23999: ********\******
....

Besides I have no match on the correct sec rules where users are indicated

If you need some other output let me know.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!