This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About apackard

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
apackard
‎08-30-2020
since ‎09-23-2010
L4 Transporter
User Activity
User Profile
Latest posts by apackard
View All
User Badges
Community Statistics
Member Since ‎09-23-2010 09:13 AM
Date Last Visited ‎08-30-2020 02:59 PM
Posts 138
Total Likes Received 11

Re: UserID present on Agent but not Palo Firewall

by in General Topics
‎05-28-2012 10:14 AM
‎05-28-2012 10:14 AM
Note: Should add that the IP range is not being filtered, and we have other valid maps on the same subnet. ... View more

UserID present on Agent but not Palo Firewall

by in General Topics
‎05-28-2012 10:13 AM
‎05-28-2012 10:13 AM
Does anyone know under what conditions a Palo firewall will not be tracking a user ID, when said ID is being tracked by a Palo agent that is active and operational? I have had experience of the agents themselves losing an ID for various reasons, but currently I have a scenario where a user is being prompted via a Captive Portal (a console session validates that the PA does not have a map for their PC), yet the Palo agent does have a valid record for that user at that IP address. ... View more
Labels:

Re: User identifcation gaps

by in General Topics
‎05-22-2012 10:17 AM
1 Kudo
‎05-22-2012 10:17 AM
1 Kudo
Bit of a 'how long is a piece of string question' I'm afraid, so many factors! However - hopefully a bit more useful - one issue I found that could result in mapped users being 'lost' was enabling the 'Server Session' tracking in the agent.  Not sure why specifically, but if this check returns a user mapping that does *not* tally with the currently mapped users the agent 'resets' the node so it doesn't have either account associated. The next time some device activity raises an AD event entry the user account is rermapped, but this does cause periods where no user is known for the device, which sounds like it could be what you're seeing? Try playing with the timeouts, settings etc; or enable transparent NTLM auth for that source IP so it will perform an interactive authentication as that way it will force a background authentication when the kiosk machine connects to the web and should block it. ... View more

Re: Integration with Titus

by in General Topics
‎05-22-2012 06:41 AM
‎05-22-2012 06:41 AM
Not with Titus, but with a similar protective marking product..... ... View more

Data Filtering Patterns

by in General Topics
‎04-26-2012 02:29 AM
‎04-26-2012 02:29 AM
Does anyone know the logic used to interpret data patterns/filtering expressions? By this I mean, if I have two patterns:- Confidential\\Eyes-Only     (exact match Confidential\Eyes-Only) and Confidential\\.+               (wildcard match Confidential\*) Will a file with the string 'Confidential\Eyes-Only' match the former, as the closest match, or the latter as the 'widest' match.  There doesn't appear to be a way to order patterns in threat policies, so other than creating dedicated threat policies for each string, and applying them to individual rules, this function seems quite limited. Also, I have noticed that commit times have increased 5x when working with these type of cutom signatures, does anyone know if this is a sign that my regex logix is 'bad'? Ta ... View more

Panorama Distributed Certs

by in General Topics
‎03-30-2012 11:34 AM
‎03-30-2012 11:34 AM
Am I going mad, or can anyone else not actually use certificates imported in Panorama and then distributed to end devices? Once I have pushed these to PA's I cannot seem to apply them to 'functions' via the GUI or the CLI. Using the same certificate uploaded directly to the PA, everything is fine. I'm on PAN-OS 4.1.4. Rgds ... View more
Labels:

Re: SNMP OID for Management Plane Load

by in General Topics
‎03-20-2012 04:00 PM
‎03-20-2012 04:00 PM
Scott, Thanks for that, kept me on the right track. Found the issue - sort of.  Am using Cacti and the data template I'm using was 'corrupt' i.e. I recreated it exactly and it worked! ... View more

SNMP OID for Management Plane Load

by in General Topics
‎03-20-2012 03:06 PM
‎03-20-2012 03:06 PM
Hi, Has the MIB OID for the Management Plane loading changed in PANOS4.x? I'm trying to poll my PA's and I'm pulling back Data PLane loading but getting an error on the DP OID (25.3.3.1.2.1) Ta! ... View more
Labels:

Re: Captive Portal for AD Users

by in General Topics
‎03-17-2012 10:19 AM
‎03-17-2012 10:19 AM
Thanks for the reply. PAN-OS is 4.1.2 and UserID is 4.1.4-3. The doc was 'User Identification Operations 4.0, and it says:- "Open Server Sessions Any connections to a file or print service on the Domain Controller will also be read by the agent. If the user / IP combination for the session does not match the combination that the Agent last learned the mapping will be removed and the user at the IP address will become unknown. The agent will not update user data as a result of information learned from the open server sessions. If the open session confirms the user at the IP address then that mapping will have its lifetime renewed." I could not see another user mapping to the IP when this occurs for me and, as a test I disabled Server Session tracking, and the problem (appears) to have gone away! Rgds ... View more

Re: What DROPS User -> IP Mappings

by in General Topics
‎03-17-2012 08:02 AM
‎03-17-2012 08:02 AM
After some initial investigations, turning OFF 'Server Session Read' in the agents appears to have stopped the unreliable mapping. This appears to be linked to the Agent removing known maps if they disagree with the info coming back from the server session table.  I am concerned that this fixes one problem and will create another, as the long term stability is likely going to be compromised if we cannot rely on the GPO update cycles to maintain the maps. Does this ring any bells with people - seen it before, know why accurate maps are being removed by the server session tracking function? Rgds ... View more

Re: Captive Portal for AD Users

by in General Topics
‎03-17-2012 06:41 AM
‎03-17-2012 06:41 AM
Hi - have you got any further on this? I have a similar issue - a subset of users (inc. me at the moment!) seem to be much less reliable than the vast majority.  I can actually see my mapping being created, then removed, within 10 seconds, as if something is over-writing the record. The one thing I'm looking at the moment is the 'server enumeration' function in the Agent - as the documentation says that this will remove a current map if it does not match what the enumeration returns. Rgds ... View more

What DROPS User -> IP Mappings

by in General Topics
‎03-17-2012 06:19 AM
‎03-17-2012 06:19 AM
Hi, For no apparent reason my AD account is not generating reliable User->IP mappings via the UserID agent - after working fine for weeks. As part of my investigations into this I can see that my User->IP map is being generated, appearing on the UserID agent list and being listed on the Palo Alto itself; then it will just disappear from both (I've been able to time it from appearing when I access a mapped drive, to dropping off, at less than 10 seconds). Logically there must be some mechanism to purge user->IP maps - logoff AD events? - before the configured timeout value, but I can't find any descriptions, or how to diagnose an issue with this. Anyone else had this issue - or similar? Ta ... View more
Labels:

Re: AD/LDAP admin authentication in 4.1

by in General Topics
‎03-16-2012 04:32 PM
‎03-16-2012 04:32 PM
I'm guessing he's asking for something that I was interested in. I have Kerberos based authentication working, so if I setup a user called BOB, and I have an AD account with the same name I can authenticate using the BOB AD password - all good. However, what I want is to be able to link an AD group without having to create the local account - so if I add TOM to the AD group it automatically allows TOM to login to the Palo without having to create the local account to map to... My view anyway! ... View more

Re: UserID Exclude Not Working

by in General Topics
‎03-07-2012 02:37 PM
‎03-07-2012 02:37 PM
Thanks for the reply. Yes, change committed on the Palo, user cache cleared via the CLI and Palo agents restarted for good measure. None of the above stop IP addresses that are either explicitly excluded, nor implicity excluded, from being registered with the PA. ... View more

UserID Exclude Not Working

by in General Topics
‎03-07-2012 01:58 PM
‎03-07-2012 01:58 PM
Hi, I have a problem where the 'User ID Exclude List' setting within the Zone setup on a Palo is not working. I have set my UserID agents to collect events from all IP addresses, then want to filter them on the PA itself as this seems the most logical sequence.  I initially only added the objects to the 'Include' list that I wanted to collect ID's from (Desktops) but it still pulled back user ID's from the servers, so I added specifi objects to the 'Exclude' section.  This too failed.  I have tried multiple combinations of include/excludes, using PA objects and direct IP subnets, and all fail - if the data is on the UserID agent cache, it is pulled into the firewall. Has anyone else seen this? Am I misunderstanding this feature - even though the Help section is explicit in saying this is what it's for? Cheers ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎08-30-2020 02:59 PM
Likes Given To
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks