Focus

User-ID Best Practices

User-ID Best Practices for Syslog Monitoring

Table of Contents

User-ID Best Practices for Syslog Monitoring

Want to learn more about the best ways to use syslogs to associate users with authentication events that originate from many different types of sources?

Next-gen firewalls can parse Syslog log messages to obtain IP address-to-username mappings. You can use authentication events from existing network services and devices such as third-party VPN solution, Network Access Control solution (NACs), or Security Information and Event Management (SIEMs) using Syslog messages. To keep user mappings current, you can also configure to parse syslog messages for logout events so that the firewall automatically deletes outdated mappings.

Plan User-ID Best Practices for Syslog Monitoring Deployment

Review the formats that the syslog senders use to determine what syntax they use, if they include domain names, and that they meet the criteria.
Determine if you want to monitor logon events, logout events, or both. If you want to monitor logout events, verify that the syslog sender includes both the IP address and username in the message.
Based on the syslog messages, determine whether you need to use regex or field identifiers. If the syslog message is consistent and predictable, use field identifiers. If the message is more complex and less predictable, use regex.
Plan to deploy Syslog Monitoring using the PAN-OS integrated User-ID agent on the firewall and not the Windows User-ID Agent.

Deploy Syslog Monitoring Using Best Practices for User-ID

If the syslog senders use different formats, configure a Syslog Parse profile for each format.
If you want to monitor both login and logout events, configure a Syslog Parse profile for each event type.
Enable Allow matching usernames without domains if the syslog messages don’t include the domain name and usernames are unique across all domains.
On the PAN-OS integrated User-ID agent, always use SSL to listen for syslog messages because the traffic is encrypted. Because UDP sends the traffic in cleartext, if you must use UDP, make sure that the syslog sender and client are both on a dedicated, secure network to prevent untrusted hosts from sending UDP traffic to the firewall.
Verify that all the syslog senders you want to monitor are included as entries in the Server Monitoring list; any syslog messages from senders that are not in this list are discarded.
Order the entries in the Filter List in the order of the most likely match. For example, if you think 80% of the syslog messages will match filter1 and 20% will match filter2, then make sure filter1 precedes filter2 in the list.

Use Syslog Monitoring Post-Deployment Best Practices for User-ID

Validate that the syslog messages match the Syslog Parse profiles and that the firewall receives the IP address-to-username mapping from the syslog messages.
Use the show user server-monitor statistics CLI command to validate that the firewall receives the messages from the syslog senders and maps the users correctly

User-ID Best Practices for GlobalProtect

User-ID Best Practices for Redistribution