This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

User Agent and Active Directory 2008

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User Agent and Active Directory 2008

bdaussin
L0 Member

‎04-04-2011 09:32 PM

I would like to know if there are some known issues about communications between useragent and AD2008 ?

We are migrating from AD2003 to AD2008 and some User-ID associations are missed :smileyangry:

We are not using security logs at the moment but only the session table monitoring.

We already have opened  a case but I would like to share this experience.

We also encountered some issues with Juniper Firewall and AD2008. The ALG MS-RPC features based on UUID matching no longer works.

Is the UUID used by Palo Alto agents when communicating with the AD ?

Thanks for your help.

0 Likes Likes
5 REPLIES 5

mharding
L4 Transporter

‎04-05-2011 05:51 AM

Are you logging succes and failures for the "audit account logon events" and "audit logon events' on the domain controllers?

0 Likes Likes

bdaussin
L0 Member
In response to mharding

‎04-05-2011 07:59 PM

No, not yet. We plan to do it with AD2008. We do not anderstand why some identification are missed now ( 2008 vs 2003 ).

0 Likes Likes

bdaussin
L0 Member
In response to bdaussin

‎05-26-2011 08:50 AM

The root cause of this issue starts becoming more accurate :

When an anonymous event comes from a user PC to the DC ( which has already been recognized by the AD agent ), here is the behaviour :

With DC2003, the AD agent get the field "sesi10_username" with an empty value, which has no effect on the Pan Agent.

With DC2008R2, the AD agent get the field "sesi10_username" with the value ANONYMOUS LOGON, which cause the PAN agent to overwrite the previous UserID-IP identification.

So, how to turn around this issue ? Is there a way on the agent to ignore ANONYMOUS LOGON ?

Thanks for your help.

0 Likes Likes

dagibbs
L4 Transporter
In response to bdaussin

‎05-29-2011 04:18 PM 

bdaussin wrote:
The root cause of this issue starts becoming more accurate :
When an anonymous event comes from a user PC to the DC ( which has already been recognized by the AD agent ), here is the behaviour :
With DC2003, the AD agent get the field "sesi10_username" with an empty value, which has no effect on the Pan Agent.
With DC2008R2, the AD agent get the field "sesi10_username" with the value ANONYMOUS LOGON, which cause the PAN agent to overwrite the previous UserID-IP identification.
So, how to turn around this issue ? Is there a way on the agent to ignore ANONYMOUS LOGON ?
Thanks for your help.

In the Palo Alto agent directory, create a file called "ignore_user_list.txt"

Add your "ANONYMOUS LOGON" to this file - you may need to put it in quotes, like I jsut did, as there is a space in the username.

See if this works.

Cheers!

bdaussin
L0 Member
In response to dagibbs

‎06-07-2011 05:36 AM

Thanks for your advice and workaround. We set up this file on the AD agent, but it seems that it filters out all informations coming from the DC session table Smiley Sad

We have opened a case to the support but it's quite long to get a usefull answer :smileyangry:

Thanks,

0 Likes Likes
  • 3763 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks