About dieter_b

Please understand that this actually has nothing to do with the RDP session. This is standard Windows behaviour in a Windows domain: Your DC is the only "authority" that determines whether or not you have access to a resource. This is the logon even I'm talking about. Nothing you do in PaloAlto config wil change that behaviour. All PA does is read that info. ... View more

The problem you're having (user explotacion getting mapped to your local ip address) is perfectly clear. And like I said before: This is excpected behaviour because a logon event is logged. And no, we are not talking about the fact that user explotacio is logging on to the server, we are talking about "a" Windows logon event. Check the security log in event viewer: you'll find thousands of logon events, that have nothing to do with a user logging on (entering username/password) to a computer. The security log on a DC is the source PaloAlto uses to collect these events, since they contain the user and an ip.... After having logged on to the server, almost any action you do locally (like browsing in Windows Explorer, opening an application) will trigger a logon event that should eventually be picked up by UserID. On the conditions that you are in fact in a domein environment (the logon event is checked by the DC) and UserID interval is short enough. ... View more

Simply initiating a RDP session, logs some kind of logon event (checking against AD whether or not that user is allowed to make RDP connections). It doesn't even yet relate to the server you're trying to connect. You can actually reproduce this with a similar logon event: make a connection to an administrative share (\\somepc\c$), Windows will ask for credentials. Say you log on with a domain admin account. That domain admin account will be mapped to your ip address. Until timeout OR until your normal user does some kind of logon event (accessing your home folder can be enough) OR until the WMI probe determines your user. This is all by design. Eventually, is your user mapped back to your ip or not ? If so, how long does it take ? You can monitor it in the CLI using the command "show user ip-user-mapping ip [your ip]" ... View more

Thank you all. It seems that the registry key for Portal is not enough for seamless deployment. My guess is the user needs to log on manually one time, so the GP client can get the correct config (and some handshaking using certificates). After that, all is fine. We're doing SSO, and GP client never asks for credentials again. This process is doable for our users, but ideally we would like to push the config with the deployment. ... View more

On further investigation i found: no difference in file size for the msi's there is a registry key named Portal in HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup which seems to hold the portal address. More testing being done... ... View more

What UserID mechanisms do you use ? At what intervals ? Eventually, your normal user should automatically be picked up again. But that depends on the mechanisms and interval. If you want very tight correlation between actual users and ip's, you'll have to rethink your UserID setup. Take a look at Architecting User Identification Deployments . This and the admin guide helped me a lot in getting UserID right and efficient. ... View more

Does UserID map the user who is connecting to RDP to an ip address ? UserID can have the same user mapped to several ip's, but I'm not sure it can have several users mapped to one ip (except Terminal services agent). My guess is the RDP log on is captured as a logon event and the user is replaced in the ip mapping. We see this behaviour when we do administrative tasks (using a domain admin account) within a restricted user account. But that is expected behaviour for us... In fact, I can reproduce the problem you're describing when connecting to a server using rdp. But shortly after, the normal user is mapped back to the client ip (we're using event log monitoring, session monitoring and wmi client probing; all with short intervals). ... View more

If that's a terminal server where multiple users are active simultaneously, do you have the Terminal Services Agent installed and working ? ... View more

We are talking about the same subnet as our domain: as described these laptops are in fact domain members. But on some we use local users. So there is no way I can filter out certain IP's, because then I probably would not have user id for domain users who log on. The other suggestion is not too good as well: If I ignore user "administrator", it would also ignore my domain administrator. Idem for local users who are equal to domain users. Using the netbios\username notation, it would be quite a hassle to administer. I really wonder why the implementation is so very different with the new agent version in comparison with the old. Edit: In 3.1.2 in the config.xml you have a value like      <domain>mydomain.local</domain> There's no such value in 5.0.6-6 UserIDAgentConfig.xml. Or is it just not documented ?? ... View more

Just tried what you suggested: with client probing disabled, no ip mapping is done. Is there a way I can filter out WMI probing for non-domain users, but keep it for our domain users ? We need probing because we have some turnaround... ... View more

Yes, WMI probing. Would that be te reason a non-domain user is mapped ? Then how can I prevent non-domain users from being collected ? ... View more

Has anyone else seen this behaviour ? ... View more