This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

About robinheylen

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
robinheylen
‎01-08-2016
since ‎02-14-2013
L0 Member
User Activity
User Profile
User Badges
Community Statistics
Member Since ‎02-14-2013 05:56 AM
Date Last Visited ‎01-08-2016 07:51 AM
Posts 3

User ip mapping with only Global Protect

by in General Topics
‎08-29-2013 05:00 AM
‎08-29-2013 05:00 AM
Hi all, i have a question regarding user ip mapping when only using Global Protect to authenticate users. Without enabling any user-id agent. Neither external on a server, neither on the firewall. It works as Global Protect identifies the logged-on user and uses this information to notify the firewall to place an user-ip mapping. But I have tested the follow scenario: User A is logged on onto the network with ip x.x.x.x and authenticated by Global Protect. He pulls out the network cable, as on that moment user B connects to the same network with the same ip x.x.x.x User B has takeover the rights of user A. This looks like a major securitybug. Why doesn't Global Protect sets up a concurrent SSL connection to the Portal with a heartbeat, so the Firewall is sure that user A is still the same user? When the SSL connection is broken, the firewall could remove the user-ip mapping. This is kind the way Juniper IC works, but obviously Palo Alto doesn't. Is there an other secure way to maintain user-ip mapping and to be sure there could not be any takover of ip addresses without the use of Active Directory Log reading with an user-id agent (so only with Global Protect)? Best regards ... View more

Re: User mapping - IdleTimout and MaxTimeout architecture with GlobalProtect only (no User ID agents)

by in General Topics
‎07-18-2013 05:05 AM
‎07-18-2013 05:05 AM
Thanx for the info Nadir ! Regarding the strange timeouts displayed, we have the Gateway Licence installed. So it seems that the bug is still not fixed in 5.0.6 ?!? Best regards, Robin ... View more

User mapping - IdleTimout and MaxTimeout architecture with GlobalProtect only (no User ID agents)

by in General Topics
‎07-18-2013 02:44 AM
‎07-18-2013 02:44 AM
We have a setup for up to 2.000 employees. Every employee has the GlobalProtect installed, but we are not using any User ID agent. We have only one portal configured, for both internal and external (vpn) connections. On both gateways (internal and external), we have configured the client tab with a Login Lifetime to 7 days and the Inactivity Logout set to 2 hours. If I run a "show user ip-user-mapping all" on CLI, I notice that users get an initial IdleTimeout and MaxTimeout of 10800 seconds ( 3 hours ). Both timers (IdleTimeout and MaxTimeout) are counting down for approximately 1 hour to 7200 seconds and are than reset to 10800 seconds. My question are: where does the 10800 seconds ( 3 hours ) come from? Where is it set? I thaught it should be 2 hours (as configured on the gateway) why does he counts down for 1 hour and is than resetted? Where is this setting located? What is the difference between IdleTimeout and MaxTimeout? We notice that remote users sometimes get a strange Timeout of 500000 and more/less. Sometimes the 10800 seconds are used. How comes? Is this a bug? (see CLI output below) (for security reasons I replaced the ip's to INT and EXT ip's and the users to someuser) IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- x.x.EXT.IP      vsys1  GP      domain\someuser                    456822         456822 x.x.INT.IP     vsys1  GP      domain\someuser                     9801           9801 x.x.INT.IP      vsys1  GP      domain\someuser                      10749          10749 x.x.INT.IP      vsys1  GP      domain\someuser                       8055           8055 x.x.EXT.IP      vsys1  GP      domain\someuser                    9282           9282 x.x.INT.IP      vsys1  GP      domain\someuser                      8799           8799 x.x.INT.IP      vsys1  GP      domain\someuser                    7824           7824 x.x.EXT.IP     vsys1  GP      domain\someuser                    8610           8610 x.x.EXT.IP     vsys1  GP      domain\someuser                    9043           9043 x.x.EXT.IP      vsys1  GP      domain\someuser                    469428         469428 x.x.INT.IP      vsys1  GP      domain\someuser                    8891           8891 x.x.INT.IP      vsys1  GP      domain\someuser                     8608           8608 x.x.INT.IP     vsys1  GP      domain\someuser                      8140           8140 x.x.INT.IP     vsys1  GP      domain\someuser                    8759           8759 x.x.INT.IP      vsys1  GP      domain\someuser                     10732          10732 x.x.INT.IP      vsys1  GP      domain\someuser                     9247           9247 x.x.INT.IP      vsys1  GP      domain\someuser                    10234          10234 x.x.INT.IP     vsys1  GP      domain\someuser                    9770           9770 x.x.INT.IP      vsys1  GP      domain\someuser                    8891           8891 x.x.INT.IP     vsys1  GP      domain\someuser                        9861           9861 x.x.INT.IP      vsys1  GP      pre-logon                        8006           8006 x.x.INT.IP      vsys1  GP      domain\someuser                    10597          10597 x.x.INT.IP      vsys1  GP      domain\someuser                    9325           9325 x.x.EXT.IP      vsys1  GP      domain\someuser                      469583         469583 x.x.INT.IP      vsys1  GP      domain\someuser                    10778          10778 x.x.EXT.IP      vsys1  GP      domain\someuser                    470808         470808 x.x.EXT.IP     vsys1  GP      domain\someuser                    9872           9872 x.x.INT.IP      vsys1  GP      domain\someuser                     8696           8696 x.x.INT.IP      vsys1  GP      domain\someuser                    9452           9452 x.x.INT.IP     vsys1  GP      domain\someuser                    9194           9194 x.x.INT.IP      vsys1  GP      domain\someuser                    8351           8351 x.x.INT.IP      vsys1  GP      domain\someuser                       8321           8321 x.x.INT.IP      vsys1  GP      pre-logon                        10790          10790 x.x.INT.IP      vsys1  GP      domain\someuser                    8707           8707 x.x.INT.IP      vsys1  GP      domain\someuser                      9649           9649 x.x.INT.IP      vsys1  GP      domain\someuser                    9454           9454 We are using PanOS 5.0.6 and GlobalProtect 1.2.4 Best regard ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎01-08-2016 07:51 AM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks