User-ID Agent Timeout Triggering

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-ID Agent Timeout Triggering

L2 Linker

I'm going through implementing a special 'modified' SP800-171R2 control list and I believe I can achieve satisfying controls such as 3.13.9 "user session timeout/terminate external access etc etc" control with the UID timeout function.

 

If I tied external internet access to a security group in my AD and granted users membership to that group, then when their ip-mapping cache is up for renewal and isn't renewed then they would effectively have their "session terminated" as the control requires.

 

However, I have several questions on how UID determines a renewal. Obviously UID caches the user's successful log in or kerberos grant and that lasts your defined cache period (45 minutes by default), but once a renewal is necessary what is criteria that UID is searching for to grant a renewed ip-mapping?

 

This article states a few Event ID's that UID looks for to grant a mapping, but I can almost bet money these aren't everything UID is using to define user activity: Security Event IDs from Active Directory Used with User-ID Agent 

 

The reason I doubt that's an exhaustive list is it seems there's a large gap for security events to be missed. For example - a user logged in, and then 20 minutes later was locked out of their account. Both events happen within the 45-minute cache renew window with the lockout being the most recent event to be logged. Would UID read the Event ID 4740 for account lockout and deny a mapping renewal for that user? According to that article, no, but that seems silly, and I highly doubt that to be the case as that would leave fairly major security gaps within the UID function. Would the lockout be handled by LDAP and UID genuinely only monitors log-in activity?

 

If that's the case, what if a user logs in and is active for the entire 45-minutes so they don't log in a second time to trigger a renewal and the kerberos ticket lifetime is 10-hours so there wouldn't be a TGT event ID for a renewal either. Would the user need to log out/in to trigger UID to map their ID to an IP? Would I need to set our kerberos halflife to a shorter duration so the events are more frequent and keeps ip-mappings fresh?

 

I'm trying to understand what exactly triggers UID to grant ip-mappings and subsequently renew those mappings. If there's a way to "game the system" with the way UID processes renewals, then I may not be able to use it for meeting compliance.

 

Has anyone tested UID to this extent or found a document useful in explaining more about this topic?

 

TL; DR

Is there an official exhaustive list of Event ID's that UID utilizes to trigger renewals, or adversely denials, for ip-mapping?

-RH747
2 REPLIES 2

Cyber Elite
Cyber Elite

Hello,

 

What is your current setup for obtaining user-id information? For example, if you have the Windows/PAN-OS user-id agents setup to poll your DCs or a read-only DC, the most obvious way a renew happens is when the clients do a gpupdate (which I believe the default for that is 90 minutes +/- 30), that generates a login event as far as the DCs are concerned which refreshed the mapping. You would also set the frequency that your user-id agents poll the servers.

 

You can also obtain user-id mapping via GlobalProtect, either connecting do an external or internal gateway, where that generates refreshes more frequently based on if the client is active or not. You could also obtain user-id via an API, possibly from your enterprises NAC.

 

Each of those sources would have their own user-id timeouts, and each have some pros and cons so you could use a combination of them. 

 

But also I dont believe this is relevant to that NIST control. The way Im understanding that is terminating inactive/dead sessions, which would be configured under Device>Setup>Session>Session Timeouts

Currently I have UID agents polling on my DCs. I thought about an internal GP gateway as well but decided against it initially, perhaps that would be more ideal for my desired outcome based on what I've been reading!

 

So, based on your response, I suppose UID does truly only poll for those few events and nothing more than that? If I want to maintain an active mapping, with no gaps, I either have to extend the cache timeout to my kerberos/gpupdate/etc polling interval or match those to my cache timeout.

 

Also, yes! You are correct, but I'm abiding by a slightly modified version of that NIST control that requires a few extra 'sub-controls' on top of the 'primary-control'. One of them being identification of the user within their session and another that terminates all external access after 60 minutes inactivity, so UID mapping would be great (or admittingly GP, but I haven't done anything with internal gateways, so this seemed like the easier option). Once I started looking into UID it seems I overestimated its function and it truly only polls for a few logon events and doesn't really extend beyond that.

 

I suppose my two options would be to adjust polling in my agent/environment to sync with each other within a 60-minute window, or setup an internal GP gateway with similar timeouts.

 

Time to weigh my options, thanks!

-RH747
  • 581 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!