I have a customer who has deployed a PA-2020 with 3 Terminal Server agents at this seems to be operating well with one exception.
They have configured a URL filtering policy that has a Continue action on a number of categories.
When a standard LAN user accesses these sites, the continue operation works fine. The problem is when a user on a Terminal Server accesses something from this category, they click on Continue and not only is that user allowed but all other users on the Terminal Server are allowed access without any further prompting.
Presumably this behavior is by design as from what i have read and understand the continue action binds the IP address of the user (of which the Terminal server users are all the same).
Is there a way to implement the Continue action such that this binds to the TS user or port range rather than the IP address of the TS?
If verified this sounds like a bug to me.
Using TSagent the TSagent will inform the PA device which user uses which srcport range on which srcip (terminalserver) and by that the PA device already knows and should be able to limit this continue to the particular user when userid is being used.
If one user clicks on a continue-page this "click" should only be valid for this particular user and not the whole network or for that matter the current srcip.
Another case where this can occur is if the users (for some reason) already is behind a NAT before reaching the PA device.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!