About dieter_b

Slightly off topic, but hard disk related: If the hard disk in a PA were replaced by a SSD, would it boot faster ? Would it commit faster ? Can I swap hard disks easily or are they prepared with a special formatting ? ... View more

Haven't tried that, but there's still the issue with the long timeout on the PA device... ... View more

Has this been done before ? I don't know the API, so I have no idea how difficult/easy this would be to implement. ... View more

Does make sense, but as far as I know, the PAN agents don't collect log out events. ... View more

Like you said: most users are in our active directory. That's because we want to make sure the user is allowed/forbidden access to certain resources. I consider AD authentication very reliable. The only time it fails is when users give their passwords to others, but that is not my responsability anymore. Until further notice I consider User ID not reliable, but it is my responsability to make sure unauthenticated user can't browse the internet. I'm having my reseller escalate the issue to the local PA office. ... View more

This undermines one of the most important features PaloAlto advertises: http://www.paloaltonetworks.com/technology/user-id.html ... View more

Ok, the user now times out on the PAN agent. But on the device the timeout is fixed at 3600 seconds. This means the local user who has logged on shortly after the domain user can still access the internet. And that traffic is mistakenly logged as coming from the domain user. ... View more

enable_full_expire was indeed set to 0 (why is that option not on the configure dialog ?!) The file user_ip_map.txt gets recreated shortly after restarting the panagentservice. I will test timeout expiration now... ... View more

You are correct. I was testing to see if it made any difference. It doesn't. Log fragment with NetBIOS disabled: 2011 02 15 14:33:55, Sending 5 IP(s) to device (127.0.0.1) 2011 02 15 14:33:55,     [1] 10.39.1.62 : mengrp\geoffrey.beulque to device (127.0.0.1) 2011 02 15 14:33:55,     [2] 10.39.1.98 : mengrp\dieter to device (127.0.0.1) 2011 02 15 14:33:55,     [3] 10.39.0.106 : mengrp\geoffrey.beulque to device (127.0.0.1) 2011 02 15 14:33:55,     [4] 10.39.0.199 : mengrp\dieter.bulcke to device (127.0.0.1) 2011 02 15 14:33:55,     [5] 10.39.0.17 : mengrp\paul.gijswijt to device (127.0.0.1) Note that the pc has been physically disconnected from the network over half an hour ago. But the PAN agent still thinks it is mapped to the domain user. Age-out timeout is set to 5 min. ... View more

Update on the original situation: There's a serious flaw in using the PAN agent: - domain user logs on, ip is mapped to user - domain user logs off - local user logs on before the domain user-to-ip mapping times out on the device (3600s) - as long as no other domain user logs on to the same pc, the PAN agent sees the ip active, but doesn't even check if it's still the same user Proof of this is in the PAN agent log, fragment of the log at the time a local user was logged on (local username is completely different from domain username): 2011 02 15 13:14:04, PAN_AGENT_GET_NEW_IP: Number of IPs received from device (127.0.0.1): 1 2011 02 15 13:14:04,     QueryIP 10.39.1.98 (mengrp\dieter) done 2011 02 15 13:14:04, Sending 1 IP(s) to device (127.0.0.1) 2011 02 15 13:14:04,     [1] 10.39.1.98 : mengrp\dieter to device (127.0.0.1) This gets logged every other minute or so. Doesn't even matter if the local user logs of or not. The mapping never times out. You'd expect it to time out, what else is the age-out timeout setting in the PAN agent for ? How can I ever be 100% certain that logged traffic is from a specific user ? ... View more

Thank you, I will try that. ... View more

Can I have a first CP policy do NTLM auth and if it fails use a second CP policy asking the user for credentials ? Are CP policies evaluated in a specific order (like security rules) ? ... View more

1. What exactly do you mean with disabling local users ? 2. Lowering the timeout only has effect on the PAN agent. Users are cached on the device with a fixed timeout of 3600 s. That's just too long. 3. no NetBIOS Instead of using an agent, is there any way I can do realtime LDAP checking ? Instead of having policies look at IP addresses (even if you specify users, it comes down to IP's only), have the policies look at the user who's requesting access ? Similar to proxy authentication... ... View more