09-15-2025 12:02 AM
When multiple users access a terminal server from a single IP address, the firewall cannot distinguish which user generated which traffic. The firewall maps the IP address to only one user.
After research, I resolved this issue with TSA, but I wanted to know if it's possible to determine which user actually owned the traffic from the past, before TSA was installed!
09-15-2025 05:22 AM
No you can't get historical data.
If you install TSA then every user will get block of source ports.
Outgoing traffic from specific user will be sourced from port range assigned to that user.
TSA hands over source block range to user mapping over to Palo that can then identify user based on what source port traffic came from.
As you don't have such source port mapping before TSA was installed you can't segregate user traffic from before TSA install.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
