Firesight not up to date with AD

inlandprinting · ‎10-26-2015

i've noticed that every few weeks we'll have an incident where a user is recognized by firesight incorrectly and as such that users access control policy gets messed up. for example office user inherits production users IP address. source fire still see the production user and blocks the office user from all internet access. Had anyone seen this problem before and know of a way to rectify.

we have tried removing the host entry and the user entry but the block remains when we do this. I'm assuming if we let it sit long eough it'd time out but that's not a great option when people can't use the internet. hopeing for some resolution on this. seems to me this probably happens when a machine loses power and as such the AD agent does not recognize a logout event. then the login event from the user also does not seem to be recognized.

Thanks in advance for any help or insight.

inlandprinting · ‎11-19-2015

Beleive I have solved this myself.

the indicator of this issue that i should have noticed was that only two of my six DC's were logging a last report time. I understand now that this means only two of my six DC's were actually reporting logon/logoff data which is why there were sync issues.

i fixed this by upgrading the AD agent to version 2.3, dumping the old configuration and adding back the DC's. note, you can only have five DC's per agent including the localhost.then i addressed the reporting issue by creating a GPO that enabled auditing of logon/logoff events and applied that to the Domain controllers. finally i used a domain admin service account for the querying. after doing all of this all of my DC's are reporting now, ad my user events list has gotten much longer.