About faizankhurshid

faizankhurshid · ‎05-17-2018

Hi All Is it good practice to exlude all server subnets in exclude list as I believe we are not interested in administrators to IP mapping for servers? What could be the user cases for exlcude list on firewall and user-id-agent?

faizankhurshid · ‎05-17-2018

@Brandon_Wertz Thanks For This "But I have a question, from users to Domain controller, I should not use user-id feature? as firewall does not know about user-ip mapping untill users are login to domain controller?" What I mean is, lets say users are in trust zone and domain controller are in server zone. I need to make policy to allow users to communicate with DC then this policy I should not use user-ID?

faizankhurshid · ‎05-17-2018

Hi I want to enable user-id features in all security policies. But I have a question, from users to Domain controller, I should not use user-id feature? as firewall does not know about user-ip mapping untill users are login to domain controller? Also on which security rules, I should not enable user-ID?

faizankhurshid · ‎05-17-2018

@reaper Sorry for the confusion. 7K was sending the logs to Panorama M100 with local log collector (hybrid mode) in HA. Now I have dedicated log collector M100, I have added LC but I want to know if I point firewalls to new LC then how I can access the old logs. 1- Panorama M100 can show me the old logs that are on local log collector of Panorama M100? 2- Can I put local log collector of Panorama M100 with new dedicated LC in same log collector group so new LC can sync the old logs from local log collecotr using log redundancy feature?

faizankhurshid · ‎05-16-2018

Hello Is there any procedure I can use to export logs from local log collector to dedicated log collector. As previously firewall was sending logs to local log collector and now sending logs to dedicated log collector. @reaper Regards,

faizankhurshid · ‎05-15-2018

Hi All I have M100 with local log collector. Firwalls are sending logs to M100. Now I want to add dedicated log collector. So I need to reassign firewall to new dedicated log collector. Once I do that, will I be able to see the old logs on M100? If not, then how can I move old logs from local log collector to new dedicated log collector? I have 7k firewall only, can I move old logs from directly firewall to new dedicated log collector? Regards,

faizankhurshid · ‎03-28-2018

@reaper thanks for the crystal clear explaination. I doubled check on agent and there is no netbios and wmi probing enabled. I am using 8.1.0-66. When the user login, firewall is showing correct mapping maximum for some seconds and then it keeping showing "domain-name/computer-name$" and policies are stopped working based on that user-ID

faizankhurshid · ‎03-28-2018

@reaper can you please help me for point 3 specially

faizankhurshid · ‎03-27-2018

Hi 1- On firewall, what is the different between cache timeout value (1 hour that cannot be configure) and idle timeout value (which is equal to user-ID agent timeout value)? 3- if idle timeout value is 480 minutes (8 hours) then what will happen to user-IP mapping after one hour in firewall? 2- Also what events reset both timers? 3- Also I notice when user is login to machine but locked the machine then on user-id agent, it is showing correct username to IP mapping BUT in firewall, it is showing machine name with '$' sign. Once user again unlock and login then on user-id agent still correct username to IP mapping BUT in firewall, it is also now showing correct username to IP mapping. Can someone explain this to me? 192.168.44.100 vsys1 UIA my-domain\windows7$ 28471 28471

faizankhurshid · ‎03-27-2018

@Mick_Ball Thanks. Actually there is auto-lock policy in place, I just want to understand the concept if there is no domain activity then what we can do.

faizankhurshid · ‎03-26-2018

@Mick_Ball Thanks for your explianation. In point 3, what I mean lets say the cache time on agent is 8 hours. So in the morning user login to DC and firewall gets the user-ip mapping from agent and user is good. In evening, the user did not lock his machine and left. In the next morning, oviously user-agent does not have mapping (due to 8 hours passed) and usesr did not login because he left his pc unlock. In this case, your solution is capative portal? If I use exchange logs also with agent as @OtakarKlier mentioned then it wills solve the issue?

faizankhurshid · ‎03-26-2018

Thanks

faizankhurshid · ‎03-26-2018

Hi Experts As you know the default cache time for user-IP mapping in user-ID agent is 45 minutes. If I am not using WMI or netbios or server session monitoring then: 1- How user-IP mapping can be maintained by user-ID agent? This means user has to logout and login again after every 45 minutes? Can I increase this to 10 hours to cover the office timing? 2- At the end of day, user normally lock the machine (instead of logout) and in next morning he unlock and login to machine. Will this generate the authentication event in AD and refresh the user-IP mapping in user-ID agent? 3- What if user even does not lock the machine and there is no auto-lock policy then next monring there will be no user-IP mapping in agent. Then user has to logout and login again? 4- What if there is 'cache domain login policy' then there will be no authentication event in AD and agent does not have any clue. What I can do in this scenario?

faizankhurshid · ‎03-26-2018

@Remo thanks. Last question, for netbios probing is also done against clients ? I need to know how netbios probing works for getting the user-ip mapping. Thanks

faizankhurshid · ‎03-26-2018

Thanks @reaper I also observed for the application unknown-tcp, all vulnerabilities were checked in logs like IIS realted etc

Member Since	‎02-10-2018 12:25 AM
Date Last Visited	‎07-24-2018 08:06 AM
Posts	47
Total Likes Received	1

Online Status	Offline
Date Last Visited	‎07-24-2018 08:06 AM

About faizankhurshid

Re: Palo Alto Layer2 mode and brdige vlan in different subnets

Palo Alto Layer2 mode and brdige vlan in different subnets

Re: QoS for VOIP over IPSEC VPN

Re: How to test regex for syslog parsing correctly or not for user-ID?

Re: Order of preference of source for user and ip mapping

Re: How to test regex for syslog parsing correctly or not for user-ID?

Re: Order of preference of source for user and ip mapping

Order of preference of source for user and ip mapping

How to test regex for syslog parsing correctly or not for user-ID?

QoS for VOIP over IPSEC VPN

Re: User ID agent user-IP mapping refresh evets

Re: Palo Alto Layer2 mode and brdige vlan in different subnets

Re: How to test regex for syslog parsing correctly or not for user-ID?

Re: How to test regex for syslog parsing correctly or not for user-ID?

Re: QoS for VOIP over IPSEC VPN

Re: Order of preference of source for user and ip mapping

User-ID Agent exclusion list

Re: User-ID based policies exclusion

User-ID based policies exclusion

Re: Export logs from local log collector to dedicated log collector

Export logs from local log collector to dedicated log collector

Reassign firewall from local log collector to dedicated log collector

Re: user-ID cache timeout vs idle timeout on firewall

Re: user-ID cache timeout vs idle timeout on firewall

user-ID cache timeout vs idle timeout on firewall

Re: User ID agent user-IP mapping refresh evets

Re: User ID agent user-IP mapping refresh evets

Re: No of User ID agents for HQ and sites

User ID agent user-IP mapping refresh evets

Re: Permissions of user-ID service account for wmi and netbios probing

Re: Same vulnerability profile for dns and web servers security policies

Unlock your full community experience!

About faizankhurshid