top of page
© Copyright not allowed
Search
dharmc9
15 hours ago2 min read

Firewall Not Properly Identifying Use rids Based On The Allocated Ports From Terminal Server Agent



Symptom

  • Traffic logs show that terminal server users (such as Citrix users) are not identifying the correct users based on the IP address and source port range allocated by the Terminal Services Agent


  • The incorrect user identification can cause an incorrect Security Policy match, and incorrectly populates the traffic, threat, URL logs with the incorrect username.


Example:

These are sample IP and Port mappings learned from a TS Agent running on IP 192.168.1.200.  Here "testuser2" is allocated source ports 26600-26999.

admin@PAN-FW > show user ip-port-user-mapping al

TS-Agent 192.168.1.200
Vsys 1, Flag 3
Port range: 20000 - 39999, port count 20000
Number of ports allocated per user terminal session: 200; max 2000
Number of user terminal sessions (port block count): 100
26200-26399: testuser1
26800-26999: testuser2
27000-27199: testuser3
27400-27599: testuser4

In the following session details, the source port is 26913 which is in testuser2's port range. Therefore we expect to see "testuser2" as the source user, however the user is identified as "testuser3"


admin@PAN-FW > show session id 85872


Session 85872





Environment

  • Customer is using both TS Agents and UserID Agents (can be agent or agentless)

  • all firewall models

  • all PanOS versions


Cause

  • If both TS Agents clients and UID Agents are active in the same environment, some conflicts may occur. Most commonly, a double mapping could be created where both the TSAgent and UIDAgent have a user mapping for a single IP address.


  • Continuing with the above example, there is an IP to user mapping learned from the Active Directory by the User ID Agent that is associated with the IP address of the terminal server



  • When users are logging into the terminal server, they are authenticating with the Active Directory.  The UID agent is learning this mapping and creating a IP-User-Mapping with the IP address of the Terminal Server Agent.


  • This is creating a conflict between the IP-User-Mapping from the UID Agent with the IP-Port-User-Mapping learned from the Terminal Server Agent.


Resolution

  • With Terminal Server Agents, it is not expected to see IP-User-Mappings associated with the IP address of the Terminal Server.  It is only expected to see IP-Port-User mappings to identify users based on IP and source port.


  • The resolution is to exclude the terminal server IP addresses from the User ID Agent's discovery. This will prevent the User ID Agents from learning and creating any ip-user-mappings for the IPs associated with the terminal server farm, thus preventing and conflicts with the IP-port-user mappings.


For Agentless UserID:

  1. Go to Device -> User Identification -> User Mapping -> Include/Exclude Networks

  2. exclude the IP addresses of the Terminal Server IPs

  3. remember to also "include" other subnets as adding configuration to this pane applies an implicit "exclude" to any IPs not specified.



For Windows UserID Agent:

  1. Under User Identification -> Discovery -> Include/Exclude list:

  2. Add an exclusion for the Terminal Server IP addresses

  3. Remember to also add the included subnets as configuring this pane add an implicit exclude.



1 view0 comments

Comments

bottom of page