Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Understanding How the WMIC Reads the Event Log on the Domain Controller

Windows Management Instrumentation Client

When you configure the integrated user firewall feature on an SRX Series device, the SRX Series establishes a Windows Management Instrumentation (WMI)/Distributed Component Object Module (DCOM) connection to the domain controller. The SRX Series acts as a WMI client (WMIC). It reads and monitors the security event log on the domain controller. The SRX Series analyzes the event messages to generate IP address-to-user mapping information.

All configuration regarding the WMIC is optional; it will function with default values. After the domain is configured (by the set services user-identification active-directory-access domain statement), the WMIC starts to work. The WMIC connection to the domain controller uses the same user credentials as those configured for the domain.

WMIC Reads the Event Log on the Domain Controller

The following SRX Series behaviors apply to reading the event log:

• The SRX Series monitors the event log at a configurable interval, which defaults to 10 seconds.
• The SRX Series reads the event log for a certain timespan, which you can configure. The default timespan is one hour. Each time at WMIC startup, the SRX Series checks the last timestamp and the timespan. If the last timestamp is older than the current timespan, then the timespan takes effect. After the WMIC and the UserID process start working, the timespan does not apply; the SRX Series simply reads the latest event log.
• During WMIC startup, the SRX Series has a maximum count of events it will read from the event log, and that maximum is not configurable.
  • On SRX Series branch devices, the maximum count is 100,000.
  • On SRX high-end devices, the maximum count is 200,000.

  During WMIC startup, this maximum is used with the timespan setting, so that if either limit is reached, the WMIC stops reading the event log.

• After a failover, the SRX Series reads the event log from the latest event log timestamp.
• In a chassis cluster environment, the WMIC works on the primary node only.

Specifying IP Filters to Limit IP-to-User Mapping

You can specify IP filters to limit the IP address-to-user mapping information that the SRX Series generates from the event log.

To understand when a filter is useful for such mapping, consider the following scenario. A customer deploys 10 SRX Series devices in one domain, and each SRX Series controls a branch. All 10 SRX Series devices read all 10 branch user login event logs in the domain controller. However, the SRX Series is configured to detect only whether the user is authenticated on the branch it controls. By configuring an IP filter on the SRX Series, the SRX Series reads only the IP event log under its control.

You can configure a filter to include or exclude IP addresses or prefixes. You can specify a maximum of 20 addresses for each filter.

Event Log Verification and Statistics

You can verify that the authentication table is getting IP address and user information by issuing the show services user-identification active-directory-access active-directory-authentication-table all command. A list of IP address-to-user mappings is displayed for each domain. The table contains no group information until LDAP is running.

You can see statistics about reading the event log by issuing the show services user-identification active-directory-access ip-user-mapping statistics domain command.