Académique Documents
Professionnel Documents
Culture Documents
created by PANW1337 on May 21, 2009 12:43 PM, last modified by panagent on Apr 14, 2014 7:41 AM
The User-ID Agent monitors the domain controllers for the following events:
Windows 2003
672 (Authentication Ticket Granted, which occurs on the logon moment),
673 (Service Ticket Granted)
674 (Ticket Granted Renewed which may happen several times during the logon session)
Windows 2008
4768 (Authentication Ticket Granted)
4769 (Service Ticket Granted)
4770 (Ticket Granted Renewed)
4624 (Logon Success)
For account logon, DC records event ID 672 as the first logon for authentication ticket request.
No relevant account logo event gets recorded.
If NetBIOS probing is enabled any connections to a file or print service on the Monitored Server list will also
be read by the agent. These connections provide updated user to IP mapping information to the agent. In all
cases the newer event for user mapping will overwrite older events.
If WMI probing is enabled make sure the probing interval is set to a reasonable value for the amount of
workstations it may need to query. For example, if there are 5,000 hosts to probe do not set a probing
interval of 10 minutes. Both of these settings are under User Identification > Setup > Client Probing on the
User-ID agent:
https://live.paloaltonetworks.com/docs/DOC-1052 Page 1 of 5
User-ID Agent Setup Tips | Palo Alto Networks Live 3/24/15, 11:24 AM
In some cases the WMI probe will fail because the workstation may be running a local firewall or it may not
be a member of the domain. If this happens the mapping could be deleted once the cache timeout is
exceeded even though the workstation is up and passing trac. To test, run the following command from
the User-ID agent.
wmic /node:workstationIPaddress computersystem get username
It should return the user currently logged in to that computer
If you are not confident the workstations will respond to WMI probes, set the user ID cache timeout to a
higher value since the mapping will be dependent upon the users login events. In this case if the cache
timeout is exceeded after the initial login event, the mapping will be deleted even though the user is still
logged in. This setting is under User Identification > Setup > Cache on the User ID agent:
Confirm that you have all of your domain controllers in the list of servers to monitor, if you do not you may
not get all of the User to IP mappings since any domain controller can potentially authenticate the users
Confirm that your Domain Controller list is accurate, you can run the following command from a domain
controller to get a list of all the domain controllers:
https://live.paloaltonetworks.com/docs/DOC-1052 Page 2 of 5
User-ID Agent Setup Tips | Palo Alto Networks Live 3/24/15, 11:24 AM
dsquery server o rdn (this should print out a list of your DCs). Remove any DCs that no longer
exist.
Confirm that user ID is enabled on the zone in which the trac will be sourced from. This setting is under
Network > Zones:
owner: jteetsel
https://live.paloaltonetworks.com/docs/DOC-1052 Page 3 of 5