This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Wrong user from access log

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Wrong user from access log

BethSouza
L2 Linker

‎11-07-2018 02:50 AM

Hello!

 

The local user Administrator is logged in on the desktop and he is not allowed to access the internet. But he can access.

When checking in Monitor on PA220, I noticed that another user appears in the Source User column and not the Administrator user.

Has anyone ever experienced this?

 

Software version 8.0.10 

 

Thank you!

 

0 Likes Likes
20 REPLIES 20

MickBall
L7 Applicator

‎11-07-2018 03:04 AM

the local admin account probably has nothing to do with AD so your your user ID is still seeing the account that last registered with your AD server.

0 Likes Likes

BethSouza
L2 Linker
In response to MickBall

‎11-07-2018 03:08 AM

Ok... but, do you know how we can solve this issue?

 

Thank you!

0 Likes Likes

MickBall
L7 Applicator
In response to BethSouza

‎11-07-2018 03:16 AM

ooh... good point...  not sure... I'm sure someone will jump in and advise.. 

 

to confirm..

 

are you using AD for user-ID. 

0 Likes Likes

BethSouza
L2 Linker
In response to MickBall

‎11-07-2018 03:17 AM

Yes... I am using AD server.

 

So, let´s wait... 

 

Thanks

0 Likes Likes

MickBall
L7 Applicator
In response to BethSouza

‎11-07-2018 03:26 AM - edited ‎11-07-2018 03:27 AM

Have you tried this approach...

 

•Device > User Identification> User Mapping > Palo Alto Networks User-ID Agent Setup > Client Probing

You can configure the User-ID agent to perform WMI client probing for each client system that the user mapping process identifies. The User-ID agent will periodically probe each learned IP address to verify that the same user is still logged in. When the firewall encounters an IP address for which it has no user mapping, it sends the address to the User-ID agent for an immediate probe. To configure client probing settings, complete the following fields.

0 Likes Likes

MickBall
L7 Applicator
In response to BethSouza

‎11-07-2018 03:28 AM

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/user-identification/devi...

0 Likes Likes

BethSouza
L2 Linker
In response to MickBall

‎11-07-2018 03:37 AM

This option is enabled...

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to BethSouza

‎11-07-2018 01:52 PM

@BethSouza,

You'll never get local admin accounts to actually show up as a user-id, unless you poll the machine in question which would be a really odd configuration. WMI client probing can help in this case, but your user-id configuration will ignore the user unless specifically set to allow it. 

Best solution, admin accounts should be AD users that are granted administrative rights on the machine. If you are going to use local-user accounts for administrative purposes you'll have to grant at least basic tcp/80 and tcp/443 access for any unknown-user in your environement and just be sure to log it to fit in with your security needs. 

0 Likes Likes

BethSouza
L2 Linker
In response to BPry

‎11-08-2018 05:02 AM

Hello Bpry,

 

we do not want local users to have access to the internet. The local administrator was able to access the internet by chance and we were surprised when we checked the PA220 log.

I think the problem is when the PA220 looks in the Domain Controller Audit log for the validation of the user who is logged into the machine. Because the local machine administrator is not registered in the Domain Controller Audit log, it takes the last user record that logged on the machine.

 

Thank you!

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2022 - Palo Alto Networks