08-29-2013 05:00 AM
Hi all,
i have a question regarding user ip mapping when only using Global Protect to authenticate users.
Without enabling any user-id agent. Neither external on a server, neither on the firewall.
It works as Global Protect identifies the logged-on user and uses this information to notify the firewall to place an user-ip mapping.
But I have tested the follow scenario:
User A is logged on onto the network with ip x.x.x.x and authenticated by Global Protect.
He pulls out the network cable, as on that moment user B connects to the same network with the same ip x.x.x.x
User B has takeover the rights of user A.
This looks like a major securitybug.
Why doesn't Global Protect sets up a concurrent SSL connection to the Portal with a heartbeat, so the Firewall is sure that user A is still the same user?
When the SSL connection is broken, the firewall could remove the user-ip mapping.
This is kind the way Juniper IC works, but obviously Palo Alto doesn't.
Is there an other secure way to maintain user-ip mapping and to be sure there could not be any takover of ip addresses without the use of Active Directory Log reading with an user-id agent (so only with Global Protect)?
Best regards
11-05-2013 02:24 AM
Hi did you have a look to this documentation:
https://live.paloaltonetworks.com/docs/DOC-4820
this explain you how to modify the ttl for the idle session. if you decrease that it could be minimize the problem.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
