Palo Alto Networks Knowledgebase: What Login Credentials Does Palo Alto Networks User-ID Agent See when Using RDP?

What Login Credentials Does Palo Alto Networks User-ID Agent See when Using RDP?

5845
Created On 10/15/19 14:19 PM - Last Updated 10/15/19 14:50 PM
Device Management Initial Configuration Installation QoS Zone and DoS Protection
Resolution

Issue

The user wants to perform a RDP session from the device they are logged onto, to a device that needs to be remotely accessed.

 

Details

The User-ID Agent (software or hardware) captures the logon user that is used to authenticate to the remote desktop window.

Shown below is an explanation of the process in an example scenario:

  • User1 is logged onto the 10.10.10.10.
  • During authentication, a security log is generated on the Domain Controller.
  • The UI agent picks up the logs and the firewall creates the mapping of user1 ---> 10.10.10.10
  • User user1 creates an RDP session to the 10.10.20.20
  • The user authenticates with the user user_admin
  • During authentication, a logon event is created for the user user_admin coming from the 10.10.10.10 IP address,
  • This event creates the mapping of user_admin ----> 10.10.10.10,
  • Since the firewall can hold only one mapping for one IP address, the user changes the mapping for the 10.10.10.10.
  • When the user disconnects from the remote session of 10.10.20.20, since the log-off events are not relayed to the User-ID process, the mapping user_admin ----> 10.10.10.10 stays valid on the firewall so if there is a policy that is using the user1 as a reference, that policy will be missed.

 

This behavior is by design, and since it is relaying on the logon logs only from the windows domain controller, the last logon event stays in the IP-User mapping table.

 

Workaround

To work around this behavior, users have two options:

  1. Use the same account to create the RDP session (user1).
  2. If an administrative account is needed to escalate privileges (user_admin), then add that user to an exclusion list.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleBCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language