Is there a best practice for making the Palo able to realize who is currently actually logged onto the machine, or are we forced to disable Fast User Switching for this? (Windows 10)
I know currently that if user A logs in, it knows it's A. If we switch user and B logs in, it then knows it's B. However if we switch user back to A, the logs can keep just reporting the user as B, as I believe the fast user switching doesn't fire off the necessary log for the palo to check?
Fast user switching doesn't actually check back in with Active Directory so if that's how you are getting your user-id information this won't exactly work. Probing would really be your answer here with a shorter probe interval, however this comes with its own list of issues.
Best case solution: Your environment isn't dependent on allowing FUS and you can simply disable it and move on with your life.
After searching a little more, is seems like MS did add in securty event IDs to show when logging in/out using Fast User Switching. 4778 & 4779 which some say solved the issue for their vendors. If PAN doesn't currently support reading those, that would be a nice addition. I will bring up the possibilty of disabling FUS with the team that would make that decision though, thank you.
Do they use Outlook with Exchange? You can point to it for user-id info and it should pick up on that, since it has to authenticate.
Just a thought.
I actually thought of that as well, but I don't know if that will work with FUS. The other user's session to the best of my knowledge still stays running in the background, so if they didn't close Outlook you would be receiving information with both users.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!