Symptom
- Traffic logs show that terminal server users (such as Citrix users) are not identifying the correct users based on the IP address and source port range allocated by the Terminal Services Agent
- The incorrect user identification can cause an incorrect Security Policy match, and incorrectly populates the traffic, threat, URL logs with the incorrect username.
Example:
These are sample IP and Port mappings learned from a TS Agent running on IP 192.168.1.200. Here “testuser2” is allocated source ports 26600-26999.
admin@PAN-FW > show user ip-port-user-mapping all
TS-Agent 192.168.1.200
Vsys 1, Flag 3
Port range: 20000 - 39999, port count 20000
Number of ports allocated per user terminal session: 200; max 2000
Number of user terminal sessions (port block count): 100
26200-26399: testuser1
26800-26999: testuser2
27000-27199: testuser3
27400-27599: testuser4
In the following session details, the source port is 26913 which is in testuser2's port range. Therefore we expect to see "testuser2" as the source user, however the user is identified as "testuser3"
admin@PAN-FW > show session id 85872
Session 85872
c2s flow:
source: 192.168.1.200 [Trust]
dst: 1.1.1.1
proto: 6
sport: 26913 dport: 80
state: INIT type: FLOW
src user: testuser3
dst user: unknown
s2c flow:
source: 1.1.1.1 [Untrust]
dst: 192.168.1.200
proto: 6
sport: 80 dport: 26913
state: INIT type: FLOW
src user: unknown
dst user: testuser3
start time : Tue Jan 28 14:27:32 2020
timeout : 15 sec
total byte count(c2s) : 637
total byte count(s2c) : 66
layer7 packet count(c2s) : 5
layer7 packet count(s2c) : 1
vsys : vsys1
application : web-browsing
rule : Trust-to-Untrust
service timeout override(index) : False
session to be logged at end : True
session in session ager : False
session updated by HA peer : False
session owner is HA A/A local device : True
session setup locally HA A/A : False
layer7 processing : enabled
URL filtering enabled : True
URL category : gambling
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/2
egress interface : ethernet1/1
session QoS rule : N/A (class 4)
tracker stage firewall : Aged out
end-reason : threat
handled by FIN proxy : s2c, 0 packets
Environment
- Customer is using both TS Agents and UserID Agents (can be agent or agentless)
- all firewall models
- all PanOS versions
Cause
- If both TS Agents clients and UID Agents are active in the same environment, some conflicts may occur. Most commonly, a double mapping could be created where both the TSAgent and UIDAgent have a user mapping for a single IP address.
- Continuing with the above example, there is an IP to user mapping learned from the Active Directory by the User ID Agent that is associated with the IP address of the terminal server
admin@PAN-FW > show user ip-user-mapping ip 192.168.1.200
IP address: 192.168.1.200(vsys1)
User: testuser3
From: AD
Idle Timeout: 2634s
Max. TTL: 2634s
Group(s): testgroup1
- When users are logging into the terminal server, they are authenticating with the Active Directory. The UID agent is learning this mapping and creating a IP-User-Mapping with the IP address of the Terminal Server Agent.
- This is creating a conflict between the IP-User-Mapping from the UID Agent with the IP-Port-User-Mapping learned from the Terminal Server Agent.
Resolution
- With Terminal Server Agents, it is not expected to see IP-User-Mappings associated with the IP address of the Terminal Server. It is only expected to see IP-Port-User mappings to identify users based on IP and source port.
- The resolution is to exclude the terminal server IP addresses from the User ID Agent’s discovery. This will prevent the User ID Agents from learning and creating any ip-user-mappings for the IPs associated with the terminal server farm, thus preventing and conflicts with the IP-port-user mappings.
For Agentless UserID:
- Go to Device -> User Identification -> User Mapping -> Include/Exclude Networks
- exclude the IP addresses of the Terminal Server IPs
- remember to also “include” other subnets as adding configuration to this pane applies an implicit “exclude” to any IPs not specified.
For Windows UserID Agent:
- Under User Identification -> Discovery -> Include/Exclude list:
- Add an exclusion for the Terminal Server IP addresses
- Remember to also add the included subnets as configuring this pane add an implicit exclude.
Leave a Reply