02-18-2010 06:30 AM
Hi,
We've got two PANAgents in W2008 and we've seen that our users running Windows 7 have some problems to be authenticated.
Our partner has adviced us that NetBios probing doesn't work with Windows7, that in new version of PAN OS 3.1 will be supported via WMI. But is there any known issue related to windows7 in the query to DCs from the PANAgent?
Is there any way to see from which DC is the PANAgent obtaining its information for mapping IP-user? What does it show each level of debug logging?
Regards,
03-18-2010 09:35 AM
Hello Fw-admin,
there should be no issues with users running windows7. How the user identification agent maps users to ips has more to do with active directory. The user identification agent actually reads the security logs from the domain controller/s.
The domain controller must log "successful login" information.
These are the event ids that pan-agent looks at:
2000 $ 2003
SUCCESS_NET_LOGON = 540,
AUTH_TICKET_GRANTED = 672,
SERVICE_TICKET_GRANTED = 673,
TICKET_GRANTED_RENEW = 674,
ACCOUNT_USED_FOR_LOGON = 680,
2008
LOGON_SUCCESS_W2008 = 4624,
AUTH_TICKET_GRANTED_W2008 = 4768,
TICKET_GRANTED_RENEW_W2008 = 4770,
ACCOUNT_USED_FOR_LOGON_W2008 = 4776,
Howver, if we you have the user identification agent configured to also use Netbios probe, then the user identification agent will also send out a probe to all of the machines in the subnet for the allow list that you configured on the user identification agent. Then the user to ip mapping can change based on the results from the netbios probe. If a machine does not respond to the netbios probe or if there was a networking issue that caused the netbios probe to not reach a machine, then that user will be identified as unknown. Desktop hosts may be unable to respond to probes, due to 3rd party security applications or use of Windows Vista....thus, it is possible that Windows7 may be blocking or netbios probes or simply not responding to them.
thanks
02-18-2010 04:19 PM
Hello,
So far we don't know of any issues running the PAN Agent on Windows 7.
The statements in the PAN Agent logs beginning with "SERVICE_TICKET_GRANTED" will indicate the IP of the DC server and the name/IP of the user.
The debug options for the PAN Agent logging are:
None - No debugging output
Info - Default value. Includes all error/warning log output, as well as some system running information logs.
Debug- Includes all Info level log output, as well as most Debug related logs.
Verbose - Includes all Info and Debug level log output, as well as all verbose logs.
03-16-2010 07:10 AM
Hello,
I'm not asking about problems with the PANAgent installed on windows7. The question is if there is any knwon issue about PCs of users with Windows7. We're detecting some problems with the same Policies configured in our PA, when the user changes its PC from Windows XP to Windows 7.
When the user had WindowsXP, things run properly and the PANAgent was able to identify user-IP. Now, when the user has Windows7, the PANAgent isn't able to identify the same user-IP.
Thanks for description of debugs,
Regards.
03-18-2010 09:35 AM
Hello Fw-admin,
there should be no issues with users running windows7. How the user identification agent maps users to ips has more to do with active directory. The user identification agent actually reads the security logs from the domain controller/s.
The domain controller must log "successful login" information.
These are the event ids that pan-agent looks at:
2000 $ 2003
SUCCESS_NET_LOGON = 540,
AUTH_TICKET_GRANTED = 672,
SERVICE_TICKET_GRANTED = 673,
TICKET_GRANTED_RENEW = 674,
ACCOUNT_USED_FOR_LOGON = 680,
2008
LOGON_SUCCESS_W2008 = 4624,
AUTH_TICKET_GRANTED_W2008 = 4768,
TICKET_GRANTED_RENEW_W2008 = 4770,
ACCOUNT_USED_FOR_LOGON_W2008 = 4776,
Howver, if we you have the user identification agent configured to also use Netbios probe, then the user identification agent will also send out a probe to all of the machines in the subnet for the allow list that you configured on the user identification agent. Then the user to ip mapping can change based on the results from the netbios probe. If a machine does not respond to the netbios probe or if there was a networking issue that caused the netbios probe to not reach a machine, then that user will be identified as unknown. Desktop hosts may be unable to respond to probes, due to 3rd party security applications or use of Windows Vista....thus, it is possible that Windows7 may be blocking or netbios probes or simply not responding to them.
thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
