I have some problems with user identification and I'm very confused about how it works.
In the case that we use User-ID agent with AD. Is it the following process correct?
1.A user makes a logon in PC-A , with his domain credentials.
2.An event is created in Security log (ID 4768/4769/4770) "LOGON USER-A -> PC-A"
3.User-ID agent check the security log every 1 second for new events and asociates PC-A -> USER-A
4.Paloalto Firewall detects trafic from PC-A and query User-ID agent for Ip-user mapping.
5.Paloalto Firewall queries Agent every 5 seconds to check any changes in ip-user mapping.
.... 10 minutes later...
6. USER-A closes his session.
7.USER-B makes a logon in PC-A, with his domain credentials
8.An event is created in Security log (ID 4768/4769/4770) "LOGON USER-B -> PC-A"
9.User-ID agent checks the security log every 1 second for new events and asociates PC-B -> USER-A ....or is it neccesary wait till age-out timer?
10. Paloalto Firewall queries Agent every 5 seconds to check any changes in ip-user mapping and detects the new ip-user mapping.
When user B logon PC A by domain user, the AD will create a new event which trigger the agent to create a new entry. So when PA firewall try to get a new delta mapping it will get a new mapping.
As each IP can only have one user mapped to it the box will update the record with thenew info.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!