User-ID doubt

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-ID doubt

L1 Bithead

I have some problems with user identification and I'm very confused about how it works.

In the case that we use User-ID agent with AD. Is it the following process correct?

1.A user makes a logon in PC-A , with his domain credentials.

2.An event is created in Security log (ID 4768/4769/4770) "LOGON USER-A -> PC-A"

3.User-ID agent check the security log every 1 second for new events and asociates PC-A -> USER-A

4.Paloalto Firewall detects trafic from PC-A and query User-ID agent for Ip-user mapping.

5.Paloalto Firewall queries Agent every 5 seconds to check any changes in ip-user mapping.

.... 10 minutes later...

6. USER-A closes his session.

7.USER-B makes a logon in PC-A, with his domain credentials

8.An event is created in Security log (ID 4768/4769/4770) "LOGON USER-B -> PC-A"

9.User-ID agent checks the security log every 1 second for new events and asociates PC-B -> USER-A ....or is it neccesary wait till age-out timer?

10. Paloalto Firewall queries Agent every 5 seconds to check any changes in ip-user mapping and detects the new ip-user mapping.

1 REPLY 1

L4 Transporter

Hi,

When user B logon PC A by domain user, the AD will create a new event which trigger the agent to create a new entry. So when PA firewall try to get a new delta mapping it will get a new mapping.

As each IP can only have one user mapped to it the box will update the record with thenew info.

Regards,

Jones

  • 2021 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!