Windows and User-Mappings

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Windows and User-Mappings

L1 Bithead

I have a user group in Active Directory where we place users who should not reach the internet. This user group is then tied to a Palo Alto rule to Deny access.

I've noticed (Windows PC) this week, that if a user who is in the Deny group logs in to a PC, they will be denied (works fine), however, lets say they log out and a person who should have access logs in to the same PC....packets are still hitting the firewall with the previous username, thus they get denied.

 

I dont believe this might be entirely tied to Palo Alto, I have a feeling it is something in Windows-land, but I just wanted to see if anyone else has ran into this.

 

One way to get it to work again is to change the VLAN on the user, forcing them to grab a different IP.

1 accepted solution

Accepted Solutions

L3 Networker

using a UserID agent based set up would be better for your issues, 

 

when multiple people are logging in the same computer, the agent would pick up the latest login event of that pc and update it in firewall,

 

For no check with AD, i believe its partialy true, yes it will allow to log in but in background the pc would try to authenticate the pc with the credentials entered, and if they have any application logged in with there id, it may take a few minutes and they should be mapped correctly.

 

Captive portal can alo solve this probelm, by authenticating an unknown user to ip by prompting to the user.

 

your other question should be how would you block a  "restricted" user that just logged in and since previous id is  "allowed"  obtains the access to internet, In that case, set the id timeout on user id agent (assuming you set it up) to a mere few minutes.

 

~HTH

View solution in original post

10 REPLIES 10

L7 Applicator

does the user ip mapping ever update to the correct user or have you never left it for that long to test.

 

 

@david.alicea do you may be also block access to the domain controller for this deny group?

L6 Presenter

Yes, and you'd be correct.  Indirectly it has nothing to do with the firewall, but rather or firewall being updated with the user ID change.

 

Whichever method you're using for user attribution I would ensure the update and general user-id collection intervals are appropriate.

 

 

More than likely what's occurring is the user that is logging into the PC that shouldn't be denied is logging into the PC via credentials which already exist on the PC.  Since you're collecting logs from a domain controller you aren't seeing updates to the firewall because there was in-fact no domain controller authentication.  The user authenticated to the local PC.  (That's just my guess)

On our end right now we are only using AD Authentication and not the actual User Agent-ID (yet). So the firewall is set to poll a few DCs on an interval. What settings would need to be updated to force more communication from the DC to the firewall. Or is it really trying to force more communication from the PC to the DC? That is what is sounds like based on your observation. The PC is the one not communicating to the DC to let the DC know there was a login change.

Its pretty wide open between DCs and users. This firewall is only traversed on the way to the internet.

@david.alicea,

Do you have an on-site Exchange enviroment that you could use to pull the security events from that? That in my case has been one of the more reliable ways to get user-id information in an office enviroment, simply because most users will always have Outlook open. Find more info on the Exchange setup HERE

 

That or you could setup GlobalProtect as an always-on format to ensure that the User-Id mapping is always up-to-date regardless of whether the user is internal or external. 

Yep, we do have an on-prem Exchange...for now. My plan was to eventually go through with the actual User Agent-ID setup.

However...is that really going to solve the scenario of a shared PC?

One user who is denied logs in to the shared PC and gets denied to the internet by the FW...but the second user who logs in (and should have access to the internet) will not be denied? As one of the above posts stated, the Windows username who should be allowed to the internet is logging into the same PC it already had a profile in. So that will not send domain info over to the Domain Controller.

@david.alicea,

This depends on whether or not the user is going to open Outlook on that machine. If they open their email after they login that will trigger the update for the user-id table if you are monitoring the Exchange enviroment. This would fix it from being denied. 

If the user isn't going to be logging into Outlook then this really isn't going to help you at all and you would have to explore the GlobalProtect options. 

L3 Networker

using a UserID agent based set up would be better for your issues, 

 

when multiple people are logging in the same computer, the agent would pick up the latest login event of that pc and update it in firewall,

 

For no check with AD, i believe its partialy true, yes it will allow to log in but in background the pc would try to authenticate the pc with the credentials entered, and if they have any application logged in with there id, it may take a few minutes and they should be mapped correctly.

 

Captive portal can alo solve this probelm, by authenticating an unknown user to ip by prompting to the user.

 

your other question should be how would you block a  "restricted" user that just logged in and since previous id is  "allowed"  obtains the access to internet, In that case, set the id timeout on user id agent (assuming you set it up) to a mere few minutes.

 

~HTH

It seems everything is leading over to the Agent-ID. I'll begin the setup next week. Thanks everyone.

  • 1 accepted solution
  • 4810 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!