About faizankhurshid

Hi All   Is it good practice to exlude all server subnets in exclude list as I believe we are not interested in administrators to IP mapping for servers?   What could be the user cases for exlcude list on firewall and user-id-agent? ... View more

Hi   I want to enable user-id features in all security policies. But I have a question, from users to Domain controller, I should not use user-id feature? as firewall does not know about user-ip mapping untill users are login to domain controller? Also on which security rules, I should not enable user-ID? ... View more

Hi    1- On firewall, what is the different between cache timeout value (1 hour that cannot be configure) and idle timeout value (which is equal to user-ID agent timeout value)?  3- if idle timeout value is 480 minutes (8 hours) then what will happen to user-IP mapping after  one hour in firewall? 2- Also what events reset both timers? 3- Also I notice when user is login to machine but locked the machine then on user-id agent, it is showing correct username to IP mapping BUT in firewall, it is showing machine name with '$' sign. Once user again unlock and login then on user-id agent still correct username to IP mapping BUT in firewall, it is also now showing correct username to IP mapping. Can someone explain this to me?   192.168.44.100   vsys1   UIA   my-domain\windows7$           28471     28471  ... View more

Hi Experts   As you know the default cache time for user-IP mapping in user-ID agent is 45 minutes. If I am not using WMI or netbios or server session monitoring then:   1- How user-IP mapping can be maintained by user-ID agent? This means user has to logout and login again after every 45 minutes? Can I increase this to 10 hours to cover the office timing? 2- At the end of day, user normally lock the machine (instead of logout) and in next morning he unlock and login to machine. Will this generate the authentication event in AD and refresh the user-IP mapping in user-ID agent? 3- What if user even does not lock the machine and there is no auto-lock policy then next monring there will be no user-IP mapping in agent. Then user has to logout and login again? 4- What if there is 'cache domain login policy' then there will be no authentication event in AD and agent does not have any clue. What I can do in this scenario? ... View more

Hi All   As I know to read the logs from DC, "Event Log Readers" permission is required for service account.  For WMI probing to clients, I need all below (please correct me if I am wrong)   1- Service account permission should be "Server Operators" in AD to read the CIMV2 namespace on the client systems 2- Give proper permission to the service account for WMI CIMv2 on each client system by using wmimgmt.msc 3- Make sure the Windows firewall will allow client probing by adding a remote administration exception to the Windows firewall for each probed client   Questions: - For point 2, this need to be done on each client system individually or can be done through GPO? I have more than 7000 users in network - By default wmi probing is done by user-ID agent against only the clients? NOT against AD servers? - For netbios probing, what permissions are required for service account? ... View more