Enable User-ID on the Cloud NGFW for Azure
Table of Contents
Expand all | Collapse all
-
- Cloud NGFW for Azure
- Cloud NGFW Components
- Cloud NGFW for Azure Supported Regions
- Cloud NGFW for Azure Limits and Quotas
- Cloud NGFW for Azure Pricing
- Cloud NGFW for Azure Free Trial
- Cloud NGFW Credit Distribution and Management
- Start with Cloud NGFW for Azure
- Manage Cloud NGFW Roles for Azure Users
- Integrate Single Sign-on
- Monitor Cloud NGFW Health
- Create a Support Case
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for Azure Certifications
- Cloud NGFW For Azure Privacy and Data Protection
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Panorama Integration
- Panorama Integration Prerequisites
- Link the Cloud NGFW to Palo Alto Networks Management
- Use Panorama for Cloud NGFW Policy Management
- Enable User-ID on the Cloud NGFW for Azure
- Configure Service Routes for On-Prem Services
- Use XFF IP Address Values in Policy
- View Cloud NGFW Logs and Activity in Panorama
- Strata Cloud Manager Policy Management
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Enable User-ID on the Cloud NGFW for Azure
Learn how to enable User-ID on the Cloud NGFW for Azure.
The user identity, as opposed to an IP address, is an integral component of
an effective security infrastructure. Knowing who is using each of the applications
on your network, and who may have transmitted a threat or is transferring files, can
strengthen security policies and reduce incident response times. User-ID™, a
standard feature on the Palo Alto Networks firewall, enables you to leverage user
information stored in a wide range of repositories. See PAN-OS documentation learn more about
User-ID concepts.
To enforce policy from User-ID or Groups:
- Firewall must be able to map the IP addresses to the usernames.
- User-ID provides various mechanisms for collecting the user mapping information. To learn more, click here.
- If the mapping methods are unable to capture the mapping, then you can configure the Authentication Policy to redirect users to an Authentication portal login. Users can provide credentials which will be checked against the identity provider and enforce access accordingly. Learn more about Authentication policy here.
Cloud NGFW today supports Server Monitoring mapping via
agent install only.
To enable Users and Groups based policy:
- The Firewall requires a list of all available users and their corresponding group memberships.
- The Panorama collects group mapping information by connecting directly to the LDAP server and then distribute it to the Cloud NGFW.
For Cloud NGFW deployment, we recommend using the Server Monitoring using Palo Alto
Networks Terminal Server Agent or a windows-based agent running on a domain server
in the network.
- Enable User-ID.
- Log in to Panorama.Select NetworkZones and click the zone Name.Enable User Identification and click OK.Create a Dedicated Service Account for the User-ID Agent.Map Users to Groups.Configure IP address mapping to Users. The Cloud NGFW for Azure supports IP-to-user mapping using the Windows User-ID agent or Terminal Server Agent.Specify the networks to include and exclude from user mapping.As a best practice, always specify which networks to include and exclude from User-ID. This allows you to ensure that only your trusted assets are probed and that unwanted user mappings are not created unexpectedly.
- Select NetworkZones and select Zone where you're configuring User-ID.Add your networks to Include and Exclude lists as needed.Click OK.Enable user and group based policy enforcement.After enabling User-ID on your Cloud NGFW, you can use a username or group name as the source or destination of a security policy rule.
- Select PoliciesSecurity and click Add to create a new security policy rule or click a security policy name to modify an existing rule.Select User and specify which users and groups to match in the rule in one of the following ways.
- If you want to select specific users or groups as matching criteria, click Add in the Source User section to display a list of users and groups discovered by the firewall group mapping function. Select the users or groups to add to the rule.
- If you want to match any user who has or has not authenticated and you don’t need to know the specific user or group name, select known-user or unknown from the drop-down above the Source User list.
Configure the rest of the rule as appropriate and then click OK to save it. For details on other fields in the security rule, see Set Up a Basic Security Policy.Create rules based on group rather than user whenever possible. This prevents you from having to continually update your rules (which requires a commit) whenever your user base changes.Create the security policy rules to safely enable User-ID within your trusted zones and prevent User-ID traffic from egressing your network.Follow the Best Practice Internet Gateway Security Policy to ensure that the User-ID application (paloalto-userid-agent) is only allowed in the zones where your agents (both your Windows agents and your PAN-OS integrated agents) are monitoring services and distributing mappings to firewalls. Specifically:- Allow the paloalto-userid-agent application between the zones where your agents reside and the zones where the monitored servers reside (or even better, between the specific systems that host the agent and the monitored servers).
- Allow the paloalto-userid-agent application between the agents and the firewalls that need the user mappings and between firewalls that are redistributing user mappings and the firewalls they are redistributing the information to.
Deny the paloalto-userid-agent application to any external zone, such as your internet zone.As a best practice, always enable the Enable Config Sync option for an HA configuration to ensure that the group mappings and user mappings are synchronized between the active and passive firewall.Commit your changes.Limitations
- For a Large scale network, instead of configuring all Firewalls to directly query the mapping information sources, you can streamline resource usage by configuring some firewall to collect mapping information through redistribution. For Cloud NGFW in Azure, the redistribution of user mapping information functionality is not supported.
- Authentication and Authorization policy is not supported.
- The PAN-OS based agent method for User-ID mapping is not supported.
- The XML-API method for User-ID mapping is not supported.