User ip mapping with only Global Protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User ip mapping with only Global Protect

L0 Member

Hi all,

i have a question regarding user ip mapping when only using Global Protect to authenticate users.

Without enabling any user-id agent. Neither external on a server, neither on the firewall.

It works as Global Protect identifies the logged-on user and uses this information to notify the firewall to place an user-ip mapping.

But I have tested the follow scenario:

User A is logged on onto the network with ip x.x.x.x and authenticated by Global Protect.

He pulls out the network cable, as on that moment user B connects to the same network with the same ip x.x.x.x

User B has takeover the rights of user A.

This looks like a major securitybug.

Why doesn't Global Protect sets up a concurrent SSL connection to the Portal with a heartbeat, so the Firewall is sure that user A is still the same user?

When the SSL connection is broken, the firewall could remove the user-ip mapping.

This is kind the way Juniper IC works, but obviously Palo Alto doesn't.

Is there an other secure way to maintain user-ip mapping and to be sure there could not be any takover of ip addresses without the use of Active Directory Log reading with an user-id agent (so only with Global Protect)?

Best regards

2 REPLIES 2

L4 Transporter

I'm interresting in for this kind  surrogate identication. I would like to know if paloalto does something on this topic

regard's

L4 Transporter

Hi did you have a look to this documentation:

https://live.paloaltonetworks.com/docs/DOC-4820

this explain you how to modify the ttl for the idle session. if you decrease that it could be minimize the problem.

  • 2071 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!