Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-10-2019 04:29 AM
Hi;
What happens when you do switch user, does the integrated User Agent logoff the original user? Does the original entry in the user to IP mapping table get overwritten ?
Kindly
Wasfi
04-10-2019 06:45 AM - edited 04-10-2019 06:46 AM
@Brandon_Wertz wrote:
@Wasfi.Bounni wrote:Hi;
What happens when you do switch user, does the integrated User Agent logoff the original user? Does the original entry in the user to IP mapping table get overwritten ?
Kindly
Wasfi
Say user A logs into a machine with IP 1.1.1.1. Provided you are capturing the correct mapping criteria UIA will see user A tied to 1.1.1.1.
That user locks their machine and user B comes to the same machine and "switches user". User B provides credentials and logs into this same machine with IP 1.1.1.1. Again, provided the authentication messages are being captured at this time the OLD record of user A being tied to 1.1.1.1 is removed and is replaced with user B as being associated with 1.1.1.1.
However, if fast user switching is used again so B switches back to A, the logs will most likely continue seeing user B on that IP. This came up recently here and it doesn't appear that the Palo reads the proper events to keep track of FUS events. I beleive I read that other vendors solved this by reading 4778 & 4779
04-10-2019 05:37 AM
@Wasfi.Bounni wrote:Hi;
What happens when you do switch user, does the integrated User Agent logoff the original user? Does the original entry in the user to IP mapping table get overwritten ?
Kindly
Wasfi
Say user A logs into a machine with IP 1.1.1.1. Provided you are capturing the correct mapping criteria UIA will see user A tied to 1.1.1.1.
That user locks their machine and user B comes to the same machine and "switches user". User B provides credentials and logs into this same machine with IP 1.1.1.1. Again, provided the authentication messages are being captured at this time the OLD record of user A being tied to 1.1.1.1 is removed and is replaced with user B as being associated with 1.1.1.1.
04-10-2019 06:45 AM - edited 04-10-2019 06:46 AM
@Brandon_Wertz wrote:
@Wasfi.Bounni wrote:Hi;
What happens when you do switch user, does the integrated User Agent logoff the original user? Does the original entry in the user to IP mapping table get overwritten ?
Kindly
Wasfi
Say user A logs into a machine with IP 1.1.1.1. Provided you are capturing the correct mapping criteria UIA will see user A tied to 1.1.1.1.
That user locks their machine and user B comes to the same machine and "switches user". User B provides credentials and logs into this same machine with IP 1.1.1.1. Again, provided the authentication messages are being captured at this time the OLD record of user A being tied to 1.1.1.1 is removed and is replaced with user B as being associated with 1.1.1.1.
However, if fast user switching is used again so B switches back to A, the logs will most likely continue seeing user B on that IP. This came up recently here and it doesn't appear that the Palo reads the proper events to keep track of FUS events. I beleive I read that other vendors solved this by reading 4778 & 4779
04-10-2019 09:37 AM - edited 04-10-2019 09:38 AM
Running the Global Protect Agent on this machine is supposed to fix this issue. The same problem exists with a shared machine running multiple remote desktop sessions.
*I have not tested this yet.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
