I have the User-ID agent configured and working nicely, however I just noticed a few entries in the URL logs showing for the domain user who last logged on to one of our PC's when I know that the PC is currently logged on using a local account rather than a domain account.
I guess I've missed something?
The PAN Agent learns from the AD security log when a user logs in, and it won't detect when a user has logged out until a new security log file is received. Enabling NetBios probes will more quickly verify changes to logged in users. There is also a configurable "Age-out" timer option in the PAN Agent which determines how long entries in the IP to username cache are valid. The default is 45 minutes.
Palo Alto Networks
Does the same apply to ts-agent that it have to be used together with pan-agent to make sure to not have incorrect logs (I mean logs that claims that a particular user did something but the user is no longer logged in to the terminalservers)?
Or how are logged out users handled in that case (does ts-agent somehow notify the PA unit that the user is no longer logged in)?
The PAN device will correlate the user information learned from the TS-Agent and the group information learned from the Pan-Agent. This is important if you are applying domain-group based security policies.
Regarding the second part of the question, yes the TS-Agent adds and removes users as they log in and off from the terminal server. You can issue the command below 'show ts-agent user-IDs' to display a listing of the corrently logged in users learned from the TS-Agent.
To view the status of the configured TS-Agents and the currently logged in users learned from the TS-Agent, the following commands can be used to display the information:
Display the current connection status of the TS-Agent
admin@PAN>show ts-agent statistics
Display the list of currently logged in users learned from the TS-Agent
admin@PAN>show ts-agent user-IDs
Perhaps this is a bit off-topic (if so please move this question to a new thread 🙂 but from the PAN device point of view does it matter if the ts-agents are accessible through the MGT interface or through a dataplane interface (redirected by the service route configuration along with a policy allowing the tcp-5009 traffic or whatever port you have configured the ts-agents to run at)?
Im thinking if dataplane is used perhaps some session ttl will screw up the communication between the PAN device and the ts-agents or so?
Because when using off-band management the MGT interface will be connected to a management-network while the terminalservers (where the ts-agents exists on) will be accessible through one of the dataplane interfaces.
Hmm because I have noticed that my ts-agents gets disconnected by the PAN unit after approx 2h50m which makes the logs be incorrect regarding userinformation or completely empty regarding which user made which session (since the PAN-unit still believes its "connected, ok" with "show ts-agent statistics" while each ts-agent on the terminalservers along with "netstat -an | find "5009"" verifies that the PAN-unit is no longer connected).
Today I setup a custom app id (to make sure there is no session inactivity going on by setting sessions timeout to "0" for my custom app) and than an application override to make sure my "custom-ts-agent" was being used for the traffic and then verified with traffic log (logging set to both start and end). But it still got disconnected after approx 2h50m...
By the way, how come the ts-agent doesnt have an official appid? 🙂
paloalto-userid-agent exists but not paloalto-ts-agent?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!