I have a question about the events used to map users to IP's in the firewall.
According to documentation, the PA uses three event ID's to map users to IPs: 4768, 4769, 4770.
The question I have is this:
If a user (say his username is bsmith) is an IT administrator, and also has a username of bsmithadmin with administrative rights (he may use this account to map to admin shares, etc...). If the user uses his admin account from his workstation to map shares or authenticate with servers, won't it generate an event ID 4769? In doing research, I found documentation that says a 4769 is generated when users access servers or resources on the network.
Wouldn't that cause the PA to map the admin account to the workstation IP instead of his regular user account, thus messing with the policies applied to him?
Is there a way to change which events trigger an update in the PA, and say only read event id 4768's that indicate a successful login?
Your understanding of the situation is valid. The Pan Agent will pick up the username for the admin user when the fileshares are mapped.
At the present time the user identification agents do not support exclusion of event IDs.
If you would like to see this feature implemented please get in touch with your sales team.
Another option would be to set up an ignore-user list that includes the bsmithadmin user. This will keep the Pan Agent from mapping any event IDs associated with bsmithadmin.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!