User Agent picking up domain service account instead of end user

Reply
Highlighted
L1 Bithead

User Agent picking up domain service account instead of end user

We are running a 2008 R2 domain and the user agent is in and working.  However, it keeps showing one of our domain service accounts on many (not all) of the reports and monitoring instead of the actual user that is browsing.  We run the same service account that is showing up in the reports for our KACE agent and Sophos agent.  Not sure if this is what's causing the Palo to pick them up, but we need a way to see the actual end user and not the service account running (if this is indeed where it is coming from).  Again, this does not happen for all PCs, but quite a large percentage.  Any ideas on this?


Accepted Solutions
Highlighted
L6 Presenter

Does the pan-agent GUI still map the ip to the service account(via gui interface)? If not, try resetting the connection between the pan-agent and the pan device with the following command on the pan device:

> debug device-server reset pan-agent all

View solution in original post


All Replies
Highlighted
L6 Presenter

Create an ignore list and add the 'service' account so it does not overwrite the locally logged in user. Place the file in the pan-agent installation directory and then restart the pan-agent service.

"ignore_user_list.txt"

Example of names to place in the list:

ntadmin

administrator

Highlighted
L1 Bithead

I will try that, it sounds right. Is there any special syntax for what I put in the txt file or is just the fully qualified name with carriage return at the end required?

L6 Presenter

Service account name would be sufficient. Feel free to update the thread if you're still having issues nonetheless.

Regards,

Renato

Highlighted
L1 Bithead

Got the file in and restarted the service.  The Traffic Monitoring still shows the service account going by.  Does it take a while to flush the service account name out of the Security Logs on the DC maybe?

Highlighted
L6 Presenter

Does the pan-agent GUI still map the ip to the service account(via gui interface)? If not, try resetting the connection between the pan-agent and the pan device with the following command on the pan device:

> debug device-server reset pan-agent all

View solution in original post

Highlighted
L0 Member

Thanks that worked for me!

nato wrote:

Create an ignore list and add the 'service' account so it does not overwrite the locally logged in user. Place the file in the pan-agent installation directory and then restart the pan-agent service.

"ignore_user_list.txt"

Example of names to place in the list:

ntadmin

administrator

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!