Cloud NGFW for Azure
Enable Data Redistribution on Cloud NGFW for Azure
Table of Contents
Enable Data Redistribution on Cloud NGFW for Azure
Learn how to enable User-ID on the Cloud NGFW for Azure.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
The user identity, as opposed to an IP address, is an integral component of
an effective security infrastructure. Knowing who is using each of the applications
on your network, and who may have transmitted a threat or is transferring files, can
strengthen security policy rules and reduce incident response times. User-ID, a
standard feature on the Palo Alto Networks firewall, enables you to leverage user
information stored in a wide range of repositories. See the PAN-OS documentation to learn more about
User-ID concepts.
To enforce the policy from User-ID or Groups:
- The firewall must be able to map the IP addresses to the usernames.
- User-ID provides various mechanisms for collecting the user mapping information. To learn more, click here.
- If the mapping methods are unable to capture the mapping, then you can configure the Authentication policy to redirect users to an Authentication Portal login. Users can provide credentials, which are checked against the identity provider and enforce access accordingly. Learn more about the Authentication policy here.
Cloud NGFW today supports Server Monitoring mapping via
agent install only.
To enable Users and Groups-based policy:
- The firewall requires a list of all available users and their corresponding group memberships.
- The Panorama collects group mapping information by connecting directly to the LDAP server and then distribute it to the Cloud NGFW.
For Cloud NGFW deployment, we recommend using the Server Monitoring using Palo Alto
Networks Terminal Server agent or a windows-based agent running on a domain server
in the network.
- Enable User-ID.
- Log in to Panorama.Select and click the zone Name.Enable User Identification and click OK.Create a Dedicated Service Account for the User-ID agent.Map Users to Groups.Configure IP address mapping to Users. The Cloud NGFW for Azure supports IP-to-user mapping using the Windows User-ID agent or Terminal Server agent.Specify the networks to include and exclude from user mapping.As a best practice, always specify which networks to include and exclude from User-ID. This allows you to ensure that only your trusted assets are probed and that unwanted user mappings are not created unexpectedly.
- Select and select the zone where you're configuring User-ID.Add your networks to Include and Exclude lists as needed.Click OK.
![]()
Enable user and group-based policy enforcement.After enabling User-ID on your Cloud NGFW, you can use a username or group name as the source or destination of a Security policy rule.- Select and click Add to create a new Security policy rule or click a Security policy name to modify an existing rule.Select User and specify which users and groups to match in the rule in one of the following ways.
- If you want to select specific users or groups as matching criteria, click Add in the Source User section to display a list of users and groups discovered by the firewall group mapping function. Select the users or groups to add to the rule.
- If you want to match any user who has or has not authenticated and you don’t need to know the specific user or group name, select known-user or unknown from the drop-down above the Source User list.
Configure the rest of the rule as appropriate and then click OK to save it. For details on other fields in the security rule, see Set Up a Basic Security Policy.Create rules based on group rather than user whenever possible. This prevents you from having to continually update your rules (which requires a commit) whenever your user base changes.Create the Security policy rules to safely enable User-ID within your trusted zones and prevent User-ID traffic from egressing your network.Follow the Best Practice Internet Gateway Security Policy to ensure that the User-ID application (paloalto-userid-agent) is only allowed in the zones where your agents (both your Windows agents and your PAN-OS integrated agents) are monitoring services and distributing mappings to firewalls. Specifically:- Allow the paloalto-userid-agent application between the zones where your agents reside and the zones where the monitored servers reside (or even better, between the specific systems that host the agent and the monitored servers).
- Allow the paloalto-userid-agent application between the agents and the firewalls that need the user mappings and between firewalls that are redistributing user mappings and the firewalls they are redistributing the information to.
Deny the paloalto-userid-agent application to any external zone, such as your internet zone.As a best practice, always enable the Enable Config Sync option for an HA configuration to ensure that the group mappings and user mappings are synchronized between the active and passive firewall.Commit your changes.Limitations
- For a Large-scale network, instead of configuring all firewalls to directly query the mapping information sources, you can streamline resource usage by configuring some firewall to collect mapping information through redistribution. For Cloud NGFW in Azure, the redistribution of user mapping information functionality isn’t supported.
- Authentication and Authorization policy isn’t supported.
- The PAN-OS based agent method for User-ID mapping isn’t supported.
- The XML API method for User-ID mapping isn’t supported.
