Firewall Not Properly Identifying Userids Based On The Allocated Ports From Terminal Server Agent

29651

Created On 01/29/20 22:54 PM - Last Modified 05/18/20 16:30 PM

Terminal Server Agent

User-ID agent

User Mapping

User-ID

PAN-OS

Symptom

Traffic logs show that terminal server users (such as Citrix users) are not identifying the correct users based on the IP address and source port range allocated by the Terminal Services Agent
The incorrect user identification can cause an incorrect Security Policy match, and incorrectly populates the traffic, threat, URL logs with the incorrect username.

Example:

These are sample IP and Port mappings learned from a TS Agent running on IP 172.16.0.100. Here "testuser2" is allocated source ports 26600-26999.

admin@PAN-FW > show user ip-port-user-mapping all

TS-Agent 172.16.0.100
Vsys 1, Flag 3
Port range: 20000 - 39999, port count 20000
Number of ports allocated per user terminal session: 200; max 2000
Number of user terminal sessions (port block count): 100
26200-26399: testuser1
26800-26999: testuser2
27000-27199: testuser3
27400-27599: testuser4

In the following session details, the source port is 26913 which is in testuser2's port range. Therefore we expect to see "testuser2" as the source user, however the user is identified as "testuser3".

admin@PAN-FW > show session id 85872

Session           85872
 
        c2s flow:
                source:      172.16.0.100 [Trust]
                dst:         99.99.99.99
                proto:       6
                sport:       26913           dport:      80
                state:       INIT            type:       FLOW
                src user:    testuser3
                dst user:    unknown

        s2c flow:
                source:      99.99.99.99 [Untrust]
                dst:         172.16.0.100
                proto:       6
                sport:       80              dport:      26913
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    testuser3

        start time                           : Tue Jan 28 14:27:32 2020
        timeout                              : 15 sec
        total byte count(c2s)                : 637
        total byte count(s2c)                : 66
        layer7 packet count(c2s)             : 5
        layer7 packet count(s2c)             : 1
        vsys                                 : vsys1
        application                          : web-browsing  
        rule                                 : Trust-to-Untrust
        service timeout override(index)      : False
        session to be logged at end          : True
        session in session ager              : False
        session updated by HA peer           : False
        session owner is HA A/A local device : True
        session setup locally HA A/A         : False
        layer7 processing                    : enabled
        URL filtering enabled                : True
        URL category                         : gambling
        session via syn-cookies              : False
        session terminated on host           : False
        session traverses tunnel             : False
        captive portal session               : False
        ingress interface                    : ethernet1/9
        egress interface                     : ethernet1/10
        session QoS rule                     : N/A (class 4)
        tracker stage firewall               : Aged out
        end-reason                           : threat
        handled by FIN proxy                 : s2c, 0 packets

Environment

Customer is using both TS Agents and UserID Agents (can be agent or agentless)
all firewall models
all PanOS versions

Cause

If both TS Agents clients and UID Agents are active in the same environment, some conflicts may occur. Most commonly, a double mapping could be created where both the TSAgent and UIDAgent have a user mapping for a single IP address.
Continuing with the above example, there is an IP to user mapping learned from the Active Directory by the User ID Agent that is associated with the IP address of the terminal server

admin@PAN-FW > show user ip-user-mapping ip 172.16.0.100

IP address:    172.16.0.100(vsys1)
User:          testuser3
From:          AD
Idle Timeout:  2634s
Max. TTL:      2634s
Group(s):      testgroup1

When users are logging into the terminal server, they are authenticating with the Active Directory. The UID agent is learning this mapping and creating a IP-User-Mapping with the IP address of the Terminal Server Agent.
This is creating a conflict between the IP-User-Mapping from the UID Agent with the IP-Port-User-Mapping learned from the Terminal Server Agent.

Resolution

With Terminal Server Agents, it is not expected to see IP-User-Mappings associated with the IP address of the Terminal Server. It is only expected to see IP-Port-User mappings to identify users based on IP and source port.
The resolution is to exclude the terminal server IP addresses from the User ID Agent's discovery. This will prevent the User ID Agents from learning and creating any ip-user-mappings for the IPs associated with the terminal server farm, thus preventing and conflicts with the IP-port-user mappings.

For Agentless UserID:

Go to Device -> User Identification -> User Mapping -> Include/Exclude Networks
exclude the IP addresses of the Terminal Server IPs
remember to also "include" other subnets as adding configuration to this pane applies an implicit "exclude" to any IPs not specified.

For Windows UserID Agent:

Under User Identification -> Discovery -> Include/Exclude list:
Add an exclusion for the Terminal Server IP addresses
Remember to also add the included subnets as configuring this pane add an implicit exclude.

Additional Information