Tips & Tricks: Considerations for TS Agent and User-ID Agent in a Mixed Environment
Symptom
In an environment where both TS Agent and UIA are configured to ascertain which users are logged into certain systems, some precautions need to be taken to prevent incorrect mapping of users, mainly regarding the Terminal servers, where multiple users can be logged in at the same time.
Environment
- Palo Alto Firewalls
- Supported PAN-OS versions
- Terminal Server (TS) Agent
- User-ID Agent (UIA)
- Domain Controllers (DC)
Cause
Both agents achieve user mapping in their own distinct way:
- UIA maps a single user to a single IP by reading login events from the DC, determining a logged-in-user by performing a WMI probing, access to a network drive or an API call from an integrated Access Point.
- TS Agent is only active on the system it is installed on and works by assigning source port ranges (it actively participates in the network stack) to logged-in users, informing the firewall which source ports are used by each user.
If both agents are active in the same environment, and TS Agent installed hosts are part of the same network as the regular clients, some conflicts may occur. Most commonly, a double mapping could be created where both TS Agent and UIA have a user mapping for a single IP address.
> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.192.16.98 vsys1 UIA pantac\administrator 3590 3590
> show user ip-port-user-mapping all
Global max host index 1, host hash count 1
TS-Agent 10.192.16.98
Vsys 1, Flag 3
Port range: 20000 - 39999, port count 20000
Number of ports allocated per user terminal session: 200; max 2000
Number of user terminal sessions (port block count): 100
20000-20199: pantac\eng
20200-20399: pantac\tpiens
|
Typically the logged-in users will be assigned a source port by the TS Agent and be identified as such by the firewall, while service accounts could be triggering UIA login events, which are picked up from the DC security log and generating an ip-user-mapping entry in UIA. Any outgoing connections from such service accounts would be identified by the ip-user-mapping instead of the ip-port-mapping.
In some scenarios, it may be undesirable to allow ip-user-mapping to occur for a Terminal server, as this mapping can be triggered by several processes and is hard to control (drive mapping to a server with a UIA installed, performing remote tasks with different usernames), especially in a mixed environment where users with highly different privileges access the same Terminal server.
Resolution
From Best Practices perspective, it is recommended to exclude the Terminal servers on UIA Discovery tab. This will prevent any regular ip-user-mapping to occur for the IPs associated with the Terminal server farm, preventing accidental misidentification of a service account’s activities with a known user who happened to perform a task that elicits identification by UIA.
Note: If you add Exclude networks without adding any Include networks, the UIA excludes all subnetworks, not just the ones you added. Alternatively, users can be added to the ignore user list to prevent these from being mapped by UIA as mentioned in How to Ignore Users in User-ID article.