What happens when you do switch user, does the integrated User Agent logoff the original user?

Reply
Highlighted
L2 Linker

What happens when you do switch user, does the integrated User Agent logoff the original user?

Hi;

 

What happens when you do switch user, does the integrated User Agent logoff the original user? Does the original entry in the user to IP mapping table get overwritten ?

 

 

Kindly

Wasfi

Tags (2)

Accepted Solutions
Highlighted
L3 Networker


@Brandon_Wertz wrote:

@Wasfi.Bounni wrote:

Hi;

 

What happens when you do switch user, does the integrated User Agent logoff the original user? Does the original entry in the user to IP mapping table get overwritten ?

 

 

Kindly

Wasfi


 

Say user A logs into a machine with IP 1.1.1.1.  Provided you are capturing the correct mapping criteria UIA will see user A tied to 1.1.1.1.

 

That user locks their machine and user B comes to the same machine and "switches user".  User B provides credentials and logs into this same machine with IP 1.1.1.1.  Again, provided the authentication messages are being captured at this time the OLD record of user A being tied to 1.1.1.1 is removed and is replaced with user B as being associated with 1.1.1.1.


 

 

However, if fast user switching is used again so B switches back to A, the logs will most likely continue seeing user B on that IP.  This came up recently here and it doesn't appear that the Palo reads the proper events to keep track of FUS events.  I beleive I read that other vendors solved this by reading 4778 & 4779 

View solution in original post


All Replies
Highlighted
Cyber Elite


@Wasfi.Bounni wrote:

Hi;

 

What happens when you do switch user, does the integrated User Agent logoff the original user? Does the original entry in the user to IP mapping table get overwritten ?

 

 

Kindly

Wasfi


 

Say user A logs into a machine with IP 1.1.1.1.  Provided you are capturing the correct mapping criteria UIA will see user A tied to 1.1.1.1.

 

That user locks their machine and user B comes to the same machine and "switches user".  User B provides credentials and logs into this same machine with IP 1.1.1.1.  Again, provided the authentication messages are being captured at this time the OLD record of user A being tied to 1.1.1.1 is removed and is replaced with user B as being associated with 1.1.1.1.

Highlighted
L3 Networker


@Brandon_Wertz wrote:

@Wasfi.Bounni wrote:

Hi;

 

What happens when you do switch user, does the integrated User Agent logoff the original user? Does the original entry in the user to IP mapping table get overwritten ?

 

 

Kindly

Wasfi


 

Say user A logs into a machine with IP 1.1.1.1.  Provided you are capturing the correct mapping criteria UIA will see user A tied to 1.1.1.1.

 

That user locks their machine and user B comes to the same machine and "switches user".  User B provides credentials and logs into this same machine with IP 1.1.1.1.  Again, provided the authentication messages are being captured at this time the OLD record of user A being tied to 1.1.1.1 is removed and is replaced with user B as being associated with 1.1.1.1.


 

 

However, if fast user switching is used again so B switches back to A, the logs will most likely continue seeing user B on that IP.  This came up recently here and it doesn't appear that the Palo reads the proper events to keep track of FUS events.  I beleive I read that other vendors solved this by reading 4778 & 4779 

View solution in original post

Highlighted
L4 Transporter

Running the Global Protect Agent on this machine is supposed to fix this issue.  The same problem exists with a shared machine running multiple remote desktop sessions.

 

*I have not tested this yet.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!