This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About djr

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
djr
‎05-06-2026
since ‎11-18-2011
L4 Transporter
User Activity
User Profile
Latest posts by djr
View All
User Badges
Community Statistics
Member Since ‎11-18-2011 07:49 AM
Date Last Visited ‎05-06-2026 12:58 AM
Posts 112
Total Likes Received 14

Delay with User-ID and Captive Portal

by in General Topics
‎05-14-2015 07:36 AM
‎05-14-2015 07:36 AM
HI, This is only theoretical for me as I don't use captive portal (yet) but I noticed a problem.  I am successfully authenticating pretty much all my users, but quite often I see a few flows at the start of a user session which doesn't have a user-id.  A few milliseconds later the user-id is populated, so I guess this is just down to a slight delay between the first packets hitting the firewall and the user-id coming up with an answer. This is no big deal but it made me think if I did have a captive portal to identify all unknown users, a domain-authenticated user would still find themselves presented with a captive portal login page if they fire off an HTTP request very early on in their session. Is this a known behaviour?  It seems like a bit of an issue to me.  I know my users would moan about it. Cheers David ... View more
Labels:

Re: When new version of User-ID agent will release to support on Active Directory 2012 version ?

by in General Topics
‎01-14-2015 08:58 AM
‎01-14-2015 08:58 AM
Can I assume this includes 2012 R2? Thanks ... View more

Re: User-ID Agent Windows Firewall Settings

by in General Topics
‎01-05-2015 01:59 AM
‎01-05-2015 01:59 AM
Hi, The "first rule" was the rule based on the service process rather than the port based rules for SYSLOG and the User ID agent port Your last line is precisely why I went for the service-based option.  I prefer to think of processes as trusted, so allowing the service is better in my mind than allowing all the ports it may need (and having to reverse engineer which ports it needs as Steven said).  It also means if I add another User ID mechanism I don't have to go round my agents fiddling with firewall rules. I do think a KB article or preferably something in the documentation on the windows firewall config would be reasonable, if the software installation doesn't do that for you. ... View more

User-ID Agent Windows Firewall Settings

by in General Topics
‎12-03-2014 11:15 AM
‎12-03-2014 11:15 AM
Hi, I just found a bit of a weird problem with the User-ID on a 2008 server due to the windows firewall. I am using AD service polling and SYSLOG feeds for the User-ID but I couldn't get the syslog messages to be recognised.  I could see them hitting the server via wireshark and when I turned of f the Windows Firewall they started working so it was clear where the problem was. When I configured the Windows Firewall I selected the user ID service and allowed all ports and protocols to it (inbound rule).  This meant that the firewalls could connect to it and I confirmed that was working OK. The only way I could get the syslog messages through was to create another rule allowing UDP 514 through to any program/service. Looking up with netstat though, port UDP514 was owned by the UAService.exe process which was the same as port TCP 5007 so that seemed as if it ought to work with the initial rule. Can anyone shed any light on why that first rule didn't work and what the recommended windows firewall rules are? (I did a search and couldn't see any articles on this) Thanks ... View more
Labels:

Re: What happens when a User-ID agent restarts?

by in General Topics
‎12-03-2014 08:44 AM
‎12-03-2014 08:44 AM
Yes that's the command I usually use but I have to say I had not noticed the column headings!  For me the max and idle values are always the same so I had learned to ignore the last one. Anyway that is great thank you for being so helpful,it has answered my question very thoroughly. ... View more

Re: What happens when a User-ID agent restarts?

by in General Topics
‎12-03-2014 04:19 AM
‎12-03-2014 04:19 AM
That makes sense, but where are these two timeouts configured?  On my firewall and agent config I can only see a "user timeout". ... View more

Re: What happens when a User-ID agent restarts?

by in General Topics
‎12-03-2014 01:32 AM
‎12-03-2014 01:32 AM
Great that sounds like it does what I want.  The only thing I didn't understand from your explanation was the "If any user mappings still exist on the firewall that require refresh,"  under what circumstances does the firewall ask for a refresh? ... View more

What happens when a User-ID agent restarts?

by in General Topics
‎12-03-2014 12:48 AM
‎12-03-2014 12:48 AM
I have been using the agentless user-id but it seems to be overloading my firewalls so I am moving to a separate agent.  I am trying to decide whether I need one or two though and need to understand what happens when an agent restarts. When it loses the agent, does the firewall drop all its user mappings? When the agent comes back does it drip-feed new mappings or does it clear the existing mappings on the firewall from that source? In other words, if my server were to reboot, would the firewalls carry on and pick up where they left off (accepting I would miss that any events while the agent were down) or would I lose all my user mapopings either when it went down or when it came back? Most of my user mappings are from SYSLOG so are not re-generated.  Once they are gone, that's it. ... View more
Labels:

Re: HA Failover moniring Management port

by in General Topics
‎11-17-2014 06:07 AM
1 Kudo
‎11-17-2014 06:07 AM
1 Kudo
By the way I tested this and it does not work!  I set the path monitoring to ping the gateway of the management interface's network and failed my management interface.  The device did not fail over but it did crash! So I logged a support ticket and the answer came back that it would have used any available path for the path monitoring.  Unfortunately because it stayed active, my AD lookups stacked up and the useridd process crashed, the firewall wouldn't respond on the console and the only way out was to power it off. So if you set the box up using the DEFAULT, to use the management port for service routes and your management port goes down... It can't be made to fail over It can no longer resolve any users It can't update It can't be managed You can't get on via the console and it crashes key processes Why has no-one else realised that a failure of the management port is the achilles heel of the HA? ... View more

Re: HA Failover moniring Management port

by in General Topics
‎11-05-2014 06:18 AM
1 Kudo
‎11-05-2014 06:18 AM
1 Kudo
Ah right, well my one is a lot simpler than yours, it just shows "use management interface for all" which for me is probably the best choice anyway.  As you say it keeps the data plane free for the data. Thanks very much, this has been very helpful and I have emailed my SE with the request. Best regards ... View more

Re: HA Failover moniring Management port

by in General Topics
‎11-05-2014 06:08 AM
‎11-05-2014 06:08 AM
How can you choose which interface to use anyway?  I don't think I have set anything up to tell it which interface to use, it just does it. ... View more

Re: HA Failover moniring Management port

by in General Topics
‎11-05-2014 05:53 AM
‎11-05-2014 05:53 AM
Thanks, I have done that.  Just to be clear though, if the management port fails, the firewall will route the AD lookups and logs to panorama etc via the trust interface?  It is L3 but I don't have any of the management services enabled and I don't presently have the trust address enabled on my panorama server as a valid source. ... View more

HA Failover moniring Management port

by in General Topics
‎11-05-2014 04:36 AM
‎11-05-2014 04:36 AM
Hi,  I have an active/passive HA setup and have link state monitoring enabled on my data interfaces, but I notice I can't select the management port for this.  To my thinking, if I lose the management port I would want the cluster to fail over because it would no longer be able to log to Panorama, or to look up user IDs. How would you recommend doing this?  Is link path monitoring (using the management IP as the source) the only way? ... View more
Labels:

Re: Can I sort or filter a threat report on Severity?

by in General Topics
‎10-31-2014 08:15 AM
1 Kudo
‎10-31-2014 08:15 AM
1 Kudo
Brilliant, thank you.  I was using the threat summary - not the detailed logs.  Working perfectly now. ... View more

Can I sort or filter a threat report on Severity?

by in General Topics
‎10-31-2014 07:42 AM
‎10-31-2014 07:42 AM
I have created a really useful daily report of threats but it's full of stuff I am not too worried about so would like to filter it based on the severity. I have included the threat severity in the columns displayed but it won't let me use the severity in the filtering criteria. Is there a way round this?  I can't even sort from High to low. ... View more
Labels:
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎05-06-2026 12:58 AM
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks