Documente Academic
Documente Profesional
Documente Cultură
created by PANW1337 on May 21, 2009 12:43 PM, last modified by PANW1337 on Feb 7, 2014 9:22 AM
The User-ID Agent monitors the domain controllers for the following events:
Windows 2003
672 (Authentication Ticket Granted, which occurs on the logon moment),
673 (Service Ticket Granted)
674 (Ticket Granted Renewed which may happen several times during the logon session)
Windows 2008
4768 (Authentication Ticket Granted)
4769 (Service Ticket Granted)
4770 (Ticket Granted Renewed)
For account logon, DC records event ID 672 as the first logon for authentication ticket request.
No relevant account logoff event gets recorded.
If NetBIOS probing is enabled any connections to a file or print service on the Monitored Server list will
also be read by the agent. These connections provide updated user to IP mapping information to the
agent. In all cases the newer event for user mapping will overwrite older events.
If WMI probing is enabled make sure the probing interval is set to a reasonable value for the amount of
workstations it may need to query. For example, if there are 5,000 hosts to probe do not set a probing
interval of 10 minutes. Both of these settings are under User Identification > Setup > Client Probing on
the User ID agent:
file:///Users/ple/Box%20Sync/Additional%20Info/User-ID%20Agent%20Setup%20Tips.html 1/4
3/25/2014 User-ID Agent Setup Tips | Palo Alto Networks Live
In some cases the WMI probe will fail because the workstation may be running a local firewall or it may
not be a member of the domain. If this happens the mapping could be deleted once the cache timeout
is exceeded even though the workstation is up and passing traffic. To test, run the following command
from the User-ID agent.
wmic/node:workstationIPaddresscomputersystemgetusername
It should return the user currently logged in to that computer
If you are not confident the workstations will respond to WMI probes, set the user ID cache
timeout to a higher value since the mapping will be dependent upon the users login events. In this
case if the cache timeout is exceeded after the initial login event, the mapping will be deleted
even though the user is still logged in. This setting is under User Identification > Setup > Cache on
the User ID agent:
Confirm that you have all of your domain controllers in the list of servers to monitor, if you do not you
may not get all of the User to IP mappings since any domain controller can potentially authenticate the
users
Confirm that your Domain Controller list is accurate, you can run the following command from a domain
controller to get a list of all the domain controllers:
dsqueryserverordn (this should print out a list of your DCs). Remove any DCs that no
file:///Users/ple/Box%20Sync/Additional%20Info/User-ID%20Agent%20Setup%20Tips.html 2/4
3/25/2014 User-ID Agent Setup Tips | Palo Alto Networks Live
longer exist.
Confirm that user ID is enabled on the zone in which the traffic will be sourced from. This setting is
under Network > Zones:
owner: jteetsel
(19 ratings)
2 Comments
I'd like to have access to the "dclocator.exe" program. The FTP instructions above don't seem to work
for me.
Please advise...
Like (0)
1.866.320.4788
PrivacyPolicy LegalNotices SiteIndex Subscriptions
Copyright20072013PaloAltoNetworks
file:///Users/ple/Box%20Sync/Additional%20Info/User-ID%20Agent%20Setup%20Tips.html 4/4