What happens when you do switch user, does the integrated User Agent logoff the original user?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

What happens when you do switch user, does the integrated User Agent logoff the original user?

L2 Linker

Hi;

 

What happens when you do switch user, does the integrated User Agent logoff the original user? Does the original entry in the user to IP mapping table get overwritten ?

 

 

Kindly

Wasfi

1 accepted solution

Accepted Solutions


@Brandon_Wertz wrote:

@Wasfi.Bounni wrote:

Hi;

 

What happens when you do switch user, does the integrated User Agent logoff the original user? Does the original entry in the user to IP mapping table get overwritten ?

 

 

Kindly

Wasfi


 

Say user A logs into a machine with IP 1.1.1.1.  Provided you are capturing the correct mapping criteria UIA will see user A tied to 1.1.1.1.

 

That user locks their machine and user B comes to the same machine and "switches user".  User B provides credentials and logs into this same machine with IP 1.1.1.1.  Again, provided the authentication messages are being captured at this time the OLD record of user A being tied to 1.1.1.1 is removed and is replaced with user B as being associated with 1.1.1.1.


 

 

However, if fast user switching is used again so B switches back to A, the logs will most likely continue seeing user B on that IP.  This came up recently here and it doesn't appear that the Palo reads the proper events to keep track of FUS events.  I beleive I read that other vendors solved this by reading 4778 & 4779 

View solution in original post

3 REPLIES 3

L6 Presenter

@Wasfi.Bounni wrote:

Hi;

 

What happens when you do switch user, does the integrated User Agent logoff the original user? Does the original entry in the user to IP mapping table get overwritten ?

 

 

Kindly

Wasfi


 

Say user A logs into a machine with IP 1.1.1.1.  Provided you are capturing the correct mapping criteria UIA will see user A tied to 1.1.1.1.

 

That user locks their machine and user B comes to the same machine and "switches user".  User B provides credentials and logs into this same machine with IP 1.1.1.1.  Again, provided the authentication messages are being captured at this time the OLD record of user A being tied to 1.1.1.1 is removed and is replaced with user B as being associated with 1.1.1.1.


@Brandon_Wertz wrote:

@Wasfi.Bounni wrote:

Hi;

 

What happens when you do switch user, does the integrated User Agent logoff the original user? Does the original entry in the user to IP mapping table get overwritten ?

 

 

Kindly

Wasfi


 

Say user A logs into a machine with IP 1.1.1.1.  Provided you are capturing the correct mapping criteria UIA will see user A tied to 1.1.1.1.

 

That user locks their machine and user B comes to the same machine and "switches user".  User B provides credentials and logs into this same machine with IP 1.1.1.1.  Again, provided the authentication messages are being captured at this time the OLD record of user A being tied to 1.1.1.1 is removed and is replaced with user B as being associated with 1.1.1.1.


 

 

However, if fast user switching is used again so B switches back to A, the logs will most likely continue seeing user B on that IP.  This came up recently here and it doesn't appear that the Palo reads the proper events to keep track of FUS events.  I beleive I read that other vendors solved this by reading 4778 & 4779 

Running the Global Protect Agent on this machine is supposed to fix this issue.  The same problem exists with a shared machine running multiple remote desktop sessions.

 

*I have not tested this yet.

  • 1 accepted solution
  • 4409 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!