I have a question about the events used to map users to IP's in the firewall. According to documentation, the PA uses three event ID's to map users to IPs: 4768, 4769, 4770. The question I have is this: If a user (say his username is bsmith) is an IT administrator, and also has a username of bsmithadmin with administrative rights (he may use this account to map to admin shares, etc...). If the user uses his admin account from his workstation to map shares or authenticate with servers, won't it generate an event ID 4769? In doing research, I found documentation that says a 4769 is generated when users access servers or resources on the network. Wouldn't that cause the PA to map the admin account to the workstation IP instead of his regular user account, thus messing with the policies applied to him? Is there a way to change which events trigger an update in the PA, and say only read event id 4768's that indicate a successful login?
... View more