05-18-2022 01:09 AM
I have Palo Alto firewall and implemented the user ID in our environment. I am looking for some help on specific use case. I am hoping to get some answers/guidance for the same.
Firewalls : PA-820/850 as well VM-300
PAN OS : 9.1.13-h3/9.1.9
I have install the windows based user ID agent on couple of servers.
Windows Server OS : Server 2019 Standard
Palo's Windows User ID Agent : Version 9.1.2-9
1. Is WMI probing still recommended option or no longer in use..?
2. We have lot of users don't shutdown their computers. I see a issue in mapping ip to user for these users/computers. They hybernet/sleep their computers and come to office next day, connect to wired network but windows users ID agent is not able to map their ip to user because there is no logon event on Domain controller. How to handle this use case..?
3. The second use case is that user is connected to wireless network and already logged in to computer on wireless network when in meeting. User comes back to desk and connect to docking station or wired network. I believe again there will not be any login event with wired IP address so it is not able to map the wired IP to user. How to handle this use case..?
We are using the 802.1x on wireless but there is no Authentication on Wired network currently.
Is there any other option to make sure all these use cases are covered..?
Thanks in advance.
05-19-2022 07:30 PM
1. Is WMI probing still recommended option or no longer in use..? Not recommend..as it is too chatty.
2. for the scenario described... How to handle this use case..? Increase the timeout for the userID from 45 minutes to 24 hours.
Now personally, even if the machine is asleep during the night, GroupPolicy states that there should be GPO "check ins" at 90 min intervals throughout the day (please research/confirm how often GPO checkins are preferred on MS)
3. Scenario How to handle this use case..? GPO checkins should still be occuring every 90 minutes (please confirm).
Please consider implementing Authentication Policy to help force users to re-authenticate to the network if their IP is "unknown" to the network. (https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/authentication/authentication-policy)
05-20-2022 07:53 PM
In addition to what @SteveCantwell mentioned, if you have Exchange in your environment you can use that to pull user-id from its logs as well. Exchange in general causes way more events to read from during normal operations than a just pulling through AD DCs.
06-01-2022 06:24 PM
Thanks @BPry and @SteveCantwell for your response.
We are using Microsoft Office 365 and I think we can't look at events of M365 like on-prem exchange server.
I already increased timeout and it is helping but still I see some users not re-starting their computers and connect via LAN, IP and user mapping is not happening. GPO is getting pushed every 30 mins but I thought it will not create the login event for user ID agent to map the user to IP..?
I will have to explore the option of Authentication policy to see how that can help.. It will be challenging to implement it as we have few machines which are not part of domain as well.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!