User Agent picking up domain service account instead of end user

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User Agent picking up domain service account instead of end user

L1 Bithead

We are running a 2008 R2 domain and the user agent is in and working.  However, it keeps showing one of our domain service accounts on many (not all) of the reports and monitoring instead of the actual user that is browsing.  We run the same service account that is showing up in the reports for our KACE agent and Sophos agent.  Not sure if this is what's causing the Palo to pick them up, but we need a way to see the actual end user and not the service account running (if this is indeed where it is coming from).  Again, this does not happen for all PCs, but quite a large percentage.  Any ideas on this?

1 accepted solution

Accepted Solutions

Does the pan-agent GUI still map the ip to the service account(via gui interface)? If not, try resetting the connection between the pan-agent and the pan device with the following command on the pan device:

> debug device-server reset pan-agent all

View solution in original post

6 REPLIES 6

L6 Presenter

Create an ignore list and add the 'service' account so it does not overwrite the locally logged in user. Place the file in the pan-agent installation directory and then restart the pan-agent service.

"ignore_user_list.txt"

Example of names to place in the list:

ntadmin

administrator

I will try that, it sounds right. Is there any special syntax for what I put in the txt file or is just the fully qualified name with carriage return at the end required?

Service account name would be sufficient. Feel free to update the thread if you're still having issues nonetheless.

Regards,

Renato

Got the file in and restarted the service.  The Traffic Monitoring still shows the service account going by.  Does it take a while to flush the service account name out of the Security Logs on the DC maybe?

Does the pan-agent GUI still map the ip to the service account(via gui interface)? If not, try resetting the connection between the pan-agent and the pan device with the following command on the pan device:

> debug device-server reset pan-agent all

Thanks that worked for me!

nato wrote:

Create an ignore list and add the 'service' account so it does not overwrite the locally logged in user. Place the file in the pan-agent installation directory and then restart the pan-agent service.

"ignore_user_list.txt"

Example of names to place in the list:

ntadmin

administrator

  • 1 accepted solution
  • 4867 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!