Understanding Integrated User Firewall Domain PC Probing
Overview of Domain PC Probing
At a high level, the integrated user firewall feature gathers IP address, user, and group information from Windows Active Directory domain controller event logs and LDAP services. This information is used to generate Active Directory authentication table entries on an NFX Series device. Authentication entries serve as the authentication source for security policies that enforce user-based or group-based access control.
PC probing acts as a supplement of event log reading. When a user logs in to the domain, the event log contains that information. The PC probe is triggered only when there is no IP-to-address mapping from the event log.
Domain information constantly changes as users log in and out of domain PCs. The integrated user firewall probe functionality provides a mechanism for tracking and verifying information in the authentication tables by directly probing domain PCs for IP address-to-user mapping information. New and changed information identified by the probe serves to update Active Directory authentication table entries, which is critical to maintaining firewall integrity.
The IP address filter also impacts the PC probe. Once you configure the IP address filter, only the IP address specified in the filter is probed.
Probing Domain PCs for User Information
The integrated user firewall feature tracks the online status of users by probing domain PCs. If a user is not online or is not an expected user, the Active Directory authentication table is updated as appropriate. The following probe behaviors apply:
Manual probing can cause entries to be removed from the Active Directory authentication table. For example, if there is no response from your PC due to a network issue, such as when the PC is too busy, the IP address entry of the PC is marked as invalid and your access is blocked.
If the device cannot access a domain PC for some reason, such as a network configuration or Windows firewall issue, the probe fails.
Probe Response
Based on the domain PC probe response, updates are made to the Active Directory authentication table, and associated firewall policies take effect. If no response is received from the probe after 90 seconds, the authentication entry times out. The timed-out authentication entry is the pending state authentication entry, which is generated when you start the PC probe.
If the probe is successful, the state of the authentication entry is updated from pending to valid. If the probe is unsuccessful, the state of the authentication entry is marked as invalid. The invalid entry has the same lifetime as a valid entry and is overwritten by upcoming fwauth (firewall authentication process) authentication results or by the event log. Table 1 lists probe responses and corresponding authentication table actions.
Table 1: Probe Responses and Associated Active Directory Authentication Table Actions
Probe Response from Domain PC | Active Directory Authentication Table Action |
|---|---|
Valid IP address and username | Add IP-related entry. |
Logged on user changed | Update IP-related entry. |
Connection timeout | Update IP-related entry as invalid. |
Access denied | Update IP-related entry as invalid. |
Connection refused | Update IP-related entry as invalid. |
Authentication failed (The configured username and password have no privilege to probe the domain PC.) | Update IP-related entry as invalid. |
Probe Configuration
On-demand probing is enabled by default. To disable on-demand probing, use the set services user-identification active-directory-access no-on-demand-probe statement. Delete this statement to reenable probing. When on-demand probing is disabled, manual probing is available.
The probe timeout value is configurable. The default timeout is 10 seconds. To configure the timeout value, use the following statement:
If no response is received from the domain PC within the wmi-timeout interval, the probe fails and the system either creates an invalid authentication entry or updates the existing authentication entry as invalid. If an authentication table entry already exists for the probed IP address, and no response is received from the domain PC within the wmi-timeout interval, the probe fails and that entry is deleted from the table.
To probe domain PCs, you must configure the integrated user firewall feature with the username and password credentials. You do not necessarily need a username and password account for each PC; instead you could set up one administrator account with privileges to access information on multiple PCs.
Probe Rate and Statistics
The maximum probe rate for the integrated user firewall feature is set by default and cannot be changed. Probe functionality supports 5000 users, or up to 10 percent of the total supported authentication entries, whichever is smaller. Supporting 10 percent means that at any time, the number of IP addresses waiting to be probed cannot exceed 10 percent. For more information about the number of supported Active Directory authentication table entries, see Active Directory Authentication Tables.
High-level statistics covering probe activity are available for the total number of probes and the number of failed probes. Table 1 describes the reasons for probe failures. To display probe statistics, use the show services user-identification active-directory-access statistics ip-user-probe command.
user@host> show services user-identification active-directory-access statistics ip-user-probe
Domain: www.example1.net
Total user probe number : 176116
Failed user probe number : 916
Domain: www.example2.net
Total user probe number : 17632
Failed user probe number : 342
