user if agent and switching between ids

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

user if agent and switching between ids

Cyber Elite
Cyber Elite

we have configured rules with group mapping using LDAP.

We have one user where he switch between user ids and when he trieds to login to server with user id not allowed in list he gets

denied.

 

should he log off and log on as best practice when he switch between user ids?

MP

Help the community: Like helpful comments and mark solutions.
2 accepted solutions

Accepted Solutions

Try to add user to run apps with into ignore list.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClklCAC

Principal Architect @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

So your scenario, if I understand it, is that you have a user using "switch user" in Windows to switch between sessions?  And after he switches to a new session, he can no longer access what he wants to on the network, because the user account that he switched to doesn't meet your rule User-ID criteria?

 

That sort of sounds like it is working as intended, or else you need to add the account that he's switching to into the rule User-ID criteria.  Adding the user account that he's switching to into the user-ignore-list.txt would prevent that account from being "learned" by the Palo Alto - ever.  Not just on this machine...any time that account is used, it will not be learned by your firewall.

 

In the background, the user-ID agent is monitoring the authentication logs from your domain controllers.  When the user switches, a successful authentication event is recorded on your DCs.  The User-ID agent sees that log entry, notes the IP address and the user account, and then updates the firewall with the second user in the IP-to-User-mappings.  This is now how your firewall will evaluate that IP address - with the new user account.  Switching back to your original user should over-write that entry, because another authentication event takes place.  And this is why adding the user to the ignore list will work - your authentication event for your second account will never get recorded by the user-id agent/updated in the IP-to-User-mappings in the firewall.

 

One other option is to deploy a global protect agent to authenticate to an internal (no tunnel) gateway on your firewalls, just to learn the user ID's.

View solution in original post

5 REPLIES 5

L7 Applicator

Does this user normally works with his default user but needs to use another one for task that require administrative privileges and the user-ids are switching between these two? Or uses scripts that run as another user, maybe a service account?

works fine with default user account but user need to access some apps for that he has to login to those apps  with different user id.

 And thats what causes the problem.

Domain is same for both the default user account and other apps.

MP

Help the community: Like helpful comments and mark solutions.

Try to add user to run apps with into ignore list.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClklCAC

Principal Architect @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

So your scenario, if I understand it, is that you have a user using "switch user" in Windows to switch between sessions?  And after he switches to a new session, he can no longer access what he wants to on the network, because the user account that he switched to doesn't meet your rule User-ID criteria?

 

That sort of sounds like it is working as intended, or else you need to add the account that he's switching to into the rule User-ID criteria.  Adding the user account that he's switching to into the user-ignore-list.txt would prevent that account from being "learned" by the Palo Alto - ever.  Not just on this machine...any time that account is used, it will not be learned by your firewall.

 

In the background, the user-ID agent is monitoring the authentication logs from your domain controllers.  When the user switches, a successful authentication event is recorded on your DCs.  The User-ID agent sees that log entry, notes the IP address and the user account, and then updates the firewall with the second user in the IP-to-User-mappings.  This is now how your firewall will evaluate that IP address - with the new user account.  Switching back to your original user should over-write that entry, because another authentication event takes place.  And this is why adding the user to the ignore list will work - your authentication event for your second account will never get recorded by the user-id agent/updated in the IP-to-User-mappings in the firewall.

 

One other option is to deploy a global protect agent to authenticate to an internal (no tunnel) gateway on your firewalls, just to learn the user ID's.

Thanks everyone for answering the questions

MP

Help the community: Like helpful comments and mark solutions.
  • 2 accepted solutions
  • 3824 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!