As per the document https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleBCAS describes, The IP-User mapping in firewall should be updated with the user used to RDP once a successful RDP is done. But I cannot see this behaviour in my environment, the username mapped with my PC is still the username I used to log in the device. I can see the RDP credential validation audit logs in Domain controller security event logs ( So hopes it is getting logged).
Anybody noticed this behaviour? any idea on if anything needs to be enabled in Domain controller for this to work?
Thanks in advance.
is your computer running globalprotect or is probing enabled on the UIDagent ?
Hi @reaper ,
Thanks for the response.
I came to know that the DC was not logging the RDP access logs in the security logs. Ie it was not creating any event IDs 4624, 4668. 4669, 4770 in the event logs. I tried to change the audit policy to enable this logging but no luck.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!