Wrong user from access log

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Wrong user from access log

L2 Linker



The local user Administrator is logged in on the desktop and he is not allowed to access the internet. But he can access.

When checking in Monitor on PA220, I noticed that another user appears in the Source User column and not the Administrator user.

Has anyone ever experienced this?


Software version 8.0.10 


Thank you!




Correct; which is why WMI probing isn't going to help you here, as the firewall sees the old user-mapping and has no reason to immedately trigger a probe. You could potentially get around this by decreasing your timeout value, which still wouldn't eleviate the issue but would probably fit what you are aiming to do better than what you have already. 



unfortunately it did not work. 


Thank you.

Hello @BPry,

I logged with user "educlocal" (he doesn't has internet access and he is a local user in Windows 10.).

But he is accessing internet.






Here is the log showing the user showing by PA when local user "educlocal" access the internet.monitor.png


this is one of my issue.


Thank you!




Just because a new user logs in doesn't mean the user-id information on the firewall will automatically clear, the firewall has 0 knowledge of this event if you're just reading AD logs. Depending on a number of different configuration options ( WMI Probing Interval, User Identification Timeout Value) the mapping will stay present until it is removed or updated. 


So if I'm logged into a machine with 'DOMAIN\bpry' as my user-id and then log in with a local admin account, the firewall doesn't have any idea that this local-account was ever used. To account for this either the probe interval can be increased if using WMI, or the identication timeout value can be decreased. Each option has downsides:


WMI Probing:

- Some find it difficult to setup

- Setting a short WMI Probe interval will cause a large amount of network traffic to all devices.


User Identifcation Timeout:

- Depending on the source of the user-id logs a short timeout value isn't possible if you wish to maintain user-id mappings.

- Setting an artifically high value can also cause issues.


When you're using local accounts there isn't a good way to solve the issue that you are running into. You simply aren't providing the firewall with the required information to update the user-id mapping. This means that regardless of what you do, there is the possibility that for a certain period of time the old user-id mapping will stay active when you log in with a local account.

To properly fix this you need to get rid of local accounts; there isn't another way to get around this issue. 

could you not run a script on local group policy that mapped a network drive to an AD share with username




this would then update User-ID to a user that would be denied internet access...


a bit heath robinson but workable...


I favour the banning of local user accounts...  




Hacky work around, but it would sure work! 



So, I have to think how to get rid of local account like administrator account.


Thank you.



not get rid of it....     just dont give the password out!


who is using the local admin account and why do they need to use the local admin account?



The support team you use the local administrator account to do local maintenance.



Thank you.




Ya that's not really required at all if your environment is setup to current enterprise standards. For example each of our machines have a local admin account, but the password is controlled by LAPS and nobody logs into the account for anything. Administration of the machine is done through an AD account granted admin rights to all domain-joined computers. There really isn't any need to do this with a local account, and it deffinetly doesn't follow best-practice for Windows administration. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!