User-ID Agent questions?

Kashif · ‎01-24-2016

Hello

I have few questions regarding user-ID agent that is installed on DC (domain controller)

1- When the user login to machine, agent on DC send the username/IP details to PAN immediately?

2- Say after 10 minutes, user log off then agent on DC send the username/IP details to PAN immediately?

3- Multiple users login to one machine using switch user? In this case all users have access or only the first or last one?

4- If the user login to other machine without log off from the first one then in this case user have two IP, which IP will have access?

reaper · ‎01-25-2016

Hi

yes I am 🙂

The agent picks up on logon_success and auth_ticket_granted/renew events as listed in the admin guide

one way to 'time out' a user is by using the user identification timeout in the agent

But beware this may also kick out active users, so there needs to be a mechanism to 'keep alive' active users, and this is preferrably accomplished in conjunction with client probing.

are you referring to the TTL on the firewall? This is a separate timeout.

When the firewall's timeout expires the mapping is removed. if the firewall then receives a fresh connection from an IP without mapping, it will poll the User ID agent to see if it has a mapping. if it does (because it's own timeout has not expired yet), it will send the mapping to the firewall and the firewall refreshes it's entry. if the User ID agent has no mapping, but does have probing enabled, it will then use probing to determine the logged in user from the client machine.

for more information please take a look at this article : Getting Started: User-ID 🙂

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

Remo · ‎01-24-2016

1- Depends on what you have configured in the "Security Log Monitor Frequency" Value in the User-ID Agend Konfiguration

2- Same as 1

3- Only the last one

4- Both (or also more IP's) then have access

reaper · ‎01-24-2016

hi!

1. The userID agent reads the security logs every few seconds (configurable) at which time the agent sends the data to the firewalls connected to it

2. The agent does not listen for log off events as these are unreliable (a user could simply close the lid on their laptop or unplug)
the mapping can either be set to a limited time to live(ttl) or probing can be enabled to periodically verify a user is still logged on

3. only 1 user can be mapped per IP address unless a terminal server client is installed. if the station is a regular workstation, the last user will be mapped, if the station is a terminal server with terminal server agent installed all users will be mapped

4. a single user can have multiple IP addresses mapped with their user, all IP address mappings will work

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Remo · ‎01-24-2016

@reaper wrote:
hi!

1. The userID agent reads the security logs every few seconds (configurable) at which time the agent sends the data to the firewalls connected to it

2. The agent does not listen for log off events as these are unreliable (a user could simply close the lid on their laptop or unplug)
the mapping can either be set to a limited time to live(ttl) or probing can be enabled to periodically verify a user is still logged on

3. only 1 user can be mapped per IP address unless a terminal server client is installed. if the station is a regular workstation, the last user will be mapped, if the station is a terminal server with terminal server agent installed all users will be mapped

4. a single user can have multiple IP addresses mapped with their user, all IP address mappings will work

Are you sure that the agent does not check the logoffevents at all? I know that when the users for example closes the lid, there will be no logoff event and then the ttl will be used as kind of fallback method? Actually now I am asking myself how this effectively works, because we do not have any additional client probing configured but the user-to-ip mapping also works when the ttl expires after the first userloginevent.

reaper · ‎01-25-2016

Hi

yes I am 🙂

The agent picks up on logon_success and auth_ticket_granted/renew events as listed in the admin guide

one way to 'time out' a user is by using the user identification timeout in the agent

But beware this may also kick out active users, so there needs to be a mechanism to 'keep alive' active users, and this is preferrably accomplished in conjunction with client probing.

are you referring to the TTL on the firewall? This is a separate timeout.

When the firewall's timeout expires the mapping is removed. if the firewall then receives a fresh connection from an IP without mapping, it will poll the User ID agent to see if it has a mapping. if it does (because it's own timeout has not expired yet), it will send the mapping to the firewall and the firewall refreshes it's entry. if the User ID agent has no mapping, but does have probing enabled, it will then use probing to determine the logged in user from the client machine.

for more information please take a look at this article : Getting Started: User-ID 🙂

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Kashif · ‎01-26-2016

Hello Reaper

Thanks. Lets say user login to the machine and idle for couple of hours and Lets say agent does not have probing enabled then how the agent refresh user-ip mapping works, I mean after 45 minutes (in your above screenshot) then agent will remove the mapping and that will block the user on firewall? User have to log off and login again?

reaper · ‎01-27-2016

Hi

ok let's try a few scenarios:

a) no probing, timeout 45 minutes: the only way for the timeout to get refreshed in this scenario is if any new logs are generated, so the user accesses network shares or performs tasks that require some sort of credential check. if none of those events happen, the user-ip mapping will be removd and the user would get blocked. requiring him to log out and in again

for this scenaraio, you could add a couple of additional methods to help re-identify:

- enabling 'server read' in the agent. this will allow a refresh to happen on mapped drives the user may have on the server

- configure captive portal: this will allow you to either silently reauthenticate through NTLM browser challenge or present the user with a web form

b) probing, timeout 45 minutes: if the user idles and the mapping is removed, once the user gets active again, the firewall will see the session, query the agent for information. since the agent has no information it will probe the user and get the info, then inform the firewall of the mapping and the user will be granted access again

so if you're not planning on using probing, i would either recommend increasing the timeout to several hours to ensure users can be idle without losing access, or you can enable captive portal to get around the timed out mapping

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Kashif · ‎05-17-2016

Sorry for the late reply. Thanks for the crystal clear explaination 🙂 Just few things:

1- What is the cache time for user-ip mapping on firewall and where is that setting?

2- If user IP is changed then what happen like giving static IP? In my opinion, firewall will see the new IP and query to agent that surely does not have mapping for this new IP and user gets block on firewall. User has to do logg of and login again?

reaper · ‎05-18-2016

for 1. the firewall inherits the idle timeout from the userID agent, so if it's idle timer is set to 45 minutes, the firewall's timer will be 2700 seconds

for 2. if the user decides to 'right now' disable DHCP and set a static ip address, the AD will not be aware of this until a logon event occurs that can be logged in which case the UserID agent would not be able to provide an IP address unless probing is enabled.

If the firewall requests user mapping for an IP the UserID agent does not have a mapping, but probing is configured, the UserID agent will send out a probe.

If probing is disabled, the user will remain unknown and blocked (or different policy applied) until a logon event occurs that can be picked up by the USerID agent (server read, drive mapping, logoff/logon... )

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Unlock your full community experience!

User-ID Agent questions?

User-ID Agent questions?

Show your appreciation!