10-29-2018 04:20 PM
we have configured rules with group mapping using LDAP.
We have one user where he switch between user ids and when he trieds to login to server with user id not allowed in list he gets
denied.
should he log off and log on as best practice when he switch between user ids?
10-29-2018 08:11 PM
Try to add user to run apps with into ignore list.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClklCAC
10-30-2018 05:43 AM
So your scenario, if I understand it, is that you have a user using "switch user" in Windows to switch between sessions? And after he switches to a new session, he can no longer access what he wants to on the network, because the user account that he switched to doesn't meet your rule User-ID criteria?
That sort of sounds like it is working as intended, or else you need to add the account that he's switching to into the rule User-ID criteria. Adding the user account that he's switching to into the user-ignore-list.txt would prevent that account from being "learned" by the Palo Alto - ever. Not just on this machine...any time that account is used, it will not be learned by your firewall.
In the background, the user-ID agent is monitoring the authentication logs from your domain controllers. When the user switches, a successful authentication event is recorded on your DCs. The User-ID agent sees that log entry, notes the IP address and the user account, and then updates the firewall with the second user in the IP-to-User-mappings. This is now how your firewall will evaluate that IP address - with the new user account. Switching back to your original user should over-write that entry, because another authentication event takes place. And this is why adding the user to the ignore list will work - your authentication event for your second account will never get recorded by the user-id agent/updated in the IP-to-User-mappings in the firewall.
One other option is to deploy a global protect agent to authenticate to an internal (no tunnel) gateway on your firewalls, just to learn the user ID's.
10-29-2018 04:52 PM - edited 10-29-2018 04:53 PM
Does this user normally works with his default user but needs to use another one for task that require administrative privileges and the user-ids are switching between these two? Or uses scripts that run as another user, maybe a service account?
10-29-2018 06:19 PM - edited 10-29-2018 06:19 PM
works fine with default user account but user need to access some apps for that he has to login to those apps with different user id.
And thats what causes the problem.
Domain is same for both the default user account and other apps.
10-29-2018 08:11 PM
Try to add user to run apps with into ignore list.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClklCAC
10-30-2018 05:43 AM
So your scenario, if I understand it, is that you have a user using "switch user" in Windows to switch between sessions? And after he switches to a new session, he can no longer access what he wants to on the network, because the user account that he switched to doesn't meet your rule User-ID criteria?
That sort of sounds like it is working as intended, or else you need to add the account that he's switching to into the rule User-ID criteria. Adding the user account that he's switching to into the user-ignore-list.txt would prevent that account from being "learned" by the Palo Alto - ever. Not just on this machine...any time that account is used, it will not be learned by your firewall.
In the background, the user-ID agent is monitoring the authentication logs from your domain controllers. When the user switches, a successful authentication event is recorded on your DCs. The User-ID agent sees that log entry, notes the IP address and the user account, and then updates the firewall with the second user in the IP-to-User-mappings. This is now how your firewall will evaluate that IP address - with the new user account. Switching back to your original user should over-write that entry, because another authentication event takes place. And this is why adding the user to the ignore list will work - your authentication event for your second account will never get recorded by the user-id agent/updated in the IP-to-User-mappings in the firewall.
One other option is to deploy a global protect agent to authenticate to an internal (no tunnel) gateway on your firewalls, just to learn the user ID's.
10-30-2018 08:38 PM
Thanks everyone for answering the questions
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
