- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-25-2021 01:13 PM
Hello,
We leverage a deployment software at our organization and when a computer is having software deployed or is being scanned for inventory by this software a service account does a network logon to create a temp service to run the process. This process generates a logon event on our domain controllers and maps the IP of the device being scanned/deployed to the the service account on the firewall. This has created some issues with security policies on our firewall as we leverage user-id for most policies. The fix for this seems to be to add the service account to the ignore user list in the user-id configuration and we have successfully done this config on one HA pair of firewalls, however we went to do the same on another pair of firewalls and I continue to see sessions established with the service account as the source user. I have the account added to the list in the same format it is displayed on the traffic logs "domain\user", this is also how we have it successfully setup on the other pair of firewalls. Any ideas on what may be causing the service account to continue to show up on this pair of firewalls?
08-26-2021 03:19 PM
Looks like I am no longer seeing new sessions initiated with that source user. I am guessing what I was observing was user-id mappings made before I excluded the service account that had not timed out yet.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!