This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

About TomSpears

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
We are conducting regularly scheduled maintenance over the weekend, which could cause some downtime on LIVEcommunity. We apologize for any inconvenience.
TomSpears
‎06-23-2021
since ‎09-21-2017
L1 Bithead
User Activity
User Profile
Latest posts by TomSpears
View All
User Badges
Community Statistics
Member Since ‎09-21-2017 08:12 AM
Date Last Visited ‎06-23-2021 10:11 PM
Posts 3

Re: Intermittent username drops

by in General Topics
‎01-29-2018 02:34 PM
‎01-29-2018 02:34 PM
We've been running into some UID mapping issues, running in agentless mode.  It turns out that since we have multiple domains, we weren't uspposed to be using agentless.  Instead, PAN advised us to stand up a vm/server in each domain and put an agent on it that can reach out and query the DCs.  We were having the same issue, where we were only getting 50-60% of the UIDs.  Sometimes we'd get UID, and then it would just drop.  We also tried doing switch user, and the UID would still be for the first user.   Or you can enforce Captive Portal, but that's really more of a catch-all.   ... View more

Re: Windows Based User-ID Agent Setup

by in General Topics
‎01-29-2018 02:21 PM
‎01-29-2018 02:21 PM
Hi, we've had some issues using the User-ID agent on the PAN, but I think it's due to us having multiple domains.  We had the same issues you were having , where we'd get a user-IP mapping 50% of the time.  We tried tuning it, but couldn't imrpove it very much.  After working with our sales engineer and PAN support, it looks like Captive Portal is the way to go for 100% user-IP mapping, but that can be a little aggressive for the user community.   We're looking into the other reccomendation which was having a server in each domain with a software agent that connects to the domain controllers and then reports back to the PAN.  We're told this should get us much better results, and son't require us to put an agent on an actual DC. ... View more

Correlation Event - Tuningout False Positives?

by in General Topics
‎01-29-2018 02:15 PM
‎01-29-2018 02:15 PM
I tried searching through the community to see if anyone had asked this, but I didn't see anything...  Does anyone else get a ton of false positives in correlation events?  We're relatively new to Palo, so it may be a config error, but we're seeing TONS of false positives.  Mostly triggering as Beacon detection.  I can't seem to find a way to tune out the events either.   The overwhelming majority of the events are Windows machines getting updates from SCCM.  Palo is seeing these hosts visiting a unclassified domain (internal to our network), and downloading multiple EXEs.  I get why that's being flagged as beacon Detection, but is there a way to tune the Correlation Object so that it doesn't flag the SCCM traffic?  I don't believe I can reclassify the domain, since it's on our network and isn't public facing...   Anyone have any experience with this? ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎06-23-2021 10:11 PM
Likes Given To
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2022 - Palo Alto Networks