What Login Credentials Does Palo Alto Networks User-ID Agent See when Using RDP?

What Login Credentials Does Palo Alto Networks User-ID Agent See when Using RDP?

Created On 09/25/18 19:48 PM - Last Modified 10/15/19 14:50 PM



The user wants to perform a RDP session from the device they are logged onto, to a device that needs to be remotely accessed.



The User-ID Agent (software or hardware) captures the logon user that is used to authenticate to the remote desktop window.

Shown below is an explanation of the process in an example scenario:

  • User1 is logged onto the
  • During authentication, a security log is generated on the Domain Controller.
  • The UI agent picks up the logs and the firewall creates the mapping of user1 --->
  • User user1 creates an RDP session to the
  • The user authenticates with the user user_admin
  • During authentication, a logon event is created for the user user_admin coming from the IP address,
  • This event creates the mapping of user_admin ---->,
  • Since the firewall can hold only one mapping for one IP address, the user changes the mapping for the
  • When the user disconnects from the remote session of, since the log-off events are not relayed to the User-ID process, the mapping user_admin ----> stays valid on the firewall so if there is a policy that is using the user1 as a reference, that policy will be missed.


This behavior is by design, and since it is relaying on the logon logs only from the windows domain controller, the last logon event stays in the IP-User mapping table.



To work around this behavior, users have two options:

  1. Use the same account to create the RDP session (user1).
  2. If an administrative account is needed to escalate privileges (user_admin), then add that user to an exclusion list.

  • Print
  • Copy Link


Choose Language