05-27-2013 01:15 AM
Hi ppl !
We have a problem regarding User-Id and the security log from windows AD. Normally when the user logs in on a windows pc and connect to AD, the USer-Id and ip > username maps correct.
The problem occurs when a "GPO" on the client starts up with system privilegies and another user account (administrator rights account). These gpo's runs with the same user privilegies on all clients on a schedule.
The user > ip mapping in windows security log will then contain the "adminstrator" user and the original user will no longer exists until the user himself connects to AD (open the fileshare/connect to exchange).
The result is that the user will loose connection until he reconnect to AD and the user > ip is correct again.
I have configured the firewall to ignore the user that runs the GPO and the result is that i have no "source user" in monitor and the session is dropped in FW.
If i dont ignore the user, a lot of computer will get internet connections with the same user-id. This will compromise our security policy.
Hope some of you have any ideas how to solve this problem.
05-27-2013 01:27 AM
You can enable WMI polling (make sure to have Netbios polling disabled) of the clients but I dunno if that will fix this case where wrong userid is mapped to the current srcip.
05-27-2013 01:40 AM
Hi Mikand !
The problem with WMI polling is that we have a lot of computer and the WMI polling will create a massive overhead on the network (5000-7000 computers online)
05-27-2013 02:47 AM
What about if you install the PAN-agent on each DC so it becomes a 1:1 relationsship between DC and PAN-agent?
This way you can configure your PAN-agent to only tail the security log from localhost (and by that no network traffic) along with the WMI-polling.
I assume only the already known ip addresses will be polled to verify if the user is still logged on at the client and that shouldnt be too much traffic (because with about 7000 clients I assume you have more than 2 DC-boxes and the way Microsoft AD functions only the DC closest to the client (or rather the one who replies fastest) will be the one which will log the particular client in its security log).
05-27-2013 03:06 AM
Ref PaloAlto :
"In large deployments, it is important to set the probe interval properly to allow time to probe eac...
We dont use pan-agent. The agent run on the appliance (ver 5.0.4)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!