Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- ›
- About TomSpears
About TomSpears
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
10-16-2020
3Posts
0Likes
0Solutions
Oct 16, 2020Last Visited
User
Activity
User
Profile
Latest posts by TomSpears
| Subject | Views | Posted |
|---|---|---|
| 594 | 01-29-2018 02:34 PM | |
| 1534 | 01-29-2018 02:21 PM | |
| 278 | 01-29-2018 02:15 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 14 | |||
| 1 | |||
| 1 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 09-21-2017 08:12 AM |
| Date Last Visited | 10-16-2020 12:34 PM |
| Total Messages Posted | 3 |
01-29-2018
02:34 PM
We've been running into some UID mapping issues, running in agentless mode. It turns out that since we have multiple domains, we weren't uspposed to be using agentless. Instead, PAN advised us to stand up a vm/server in each domain and put an agent on it that can reach out and query the DCs. We were having the same issue, where we were only getting 50-60% of the UIDs. Sometimes we'd get UID, and then it would just drop. We also tried doing switch user, and the UID would still be for the first user. Or you can enforce Captive Portal, but that's really more of a catch-all.
... View more
01-29-2018
02:21 PM
Hi, we've had some issues using the User-ID agent on the PAN, but I think it's due to us having multiple domains. We had the same issues you were having , where we'd get a user-IP mapping 50% of the time. We tried tuning it, but couldn't imrpove it very much. After working with our sales engineer and PAN support, it looks like Captive Portal is the way to go for 100% user-IP mapping, but that can be a little aggressive for the user community. We're looking into the other reccomendation which was having a server in each domain with a software agent that connects to the domain controllers and then reports back to the PAN. We're told this should get us much better results, and son't require us to put an agent on an actual DC.
... View more
01-29-2018
02:15 PM
I tried searching through the community to see if anyone had asked this, but I didn't see anything... Does anyone else get a ton of false positives in correlation events? We're relatively new to Palo, so it may be a config error, but we're seeing TONS of false positives. Mostly triggering as Beacon detection. I can't seem to find a way to tune out the events either. The overwhelming majority of the events are Windows machines getting updates from SCCM. Palo is seeing these hosts visiting a unclassified domain (internal to our network), and downloading multiple EXEs. I get why that's being flagged as beacon Detection, but is there a way to tune the Correlation Object so that it doesn't flag the SCCM traffic? I don't believe I can reclassify the domain, since it's on our network and isn't public facing... Anyone have any experience with this?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-16-2020
12:34 PM
|
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
