Cloud NGFW for Azure
    : Enable User-ID on the Cloud NGFW for Azure
    Focus
    Download PDF
    Focus
    1. Home
    2. Azure
    3. Cloud NGFW for Azure
    4. Panorama Policy Management
    5. Enable User-ID on the Cloud NGFW for Azure
    Download PDF

    Cloud NGFW for Azure

    Enable User-ID on the Cloud NGFW for Azure

    Table of Contents

    Enable User-ID on the Cloud NGFW for Azure

    Learn how to enable User-ID on the Cloud NGFW for Azure.
    The user identity, as opposed to an IP address, is an integral component of an effective security infrastructure. Knowing who is using each of the applications on your network, and who may have transmitted a threat or is transferring files, can strengthen security policies and reduce incident response times. User-ID™, a standard feature on the Palo Alto Networks firewall, enables you to leverage user information stored in a wide range of repositories. See PAN-OS documentation learn more about User-ID concepts.
    To enforce policy from User-ID or Groups:
    • Firewall must be able to map the IP addresses to the usernames.
    • User-ID provides various mechanisms for collecting the user mapping information. To learn more, click here.
    • If the mapping methods are unable to capture the mapping, then you can configure the Authentication Policy to redirect users to an Authentication portal login. Users can provide credentials which will be checked against the identity provider and enforce access accordingly. Learn more about Authentication policy here.
    Cloud NGFW today supports Server Monitoring mapping via agent install only.
    To enable Users and Groups based policy:
    • The Firewall requires a list of all available users and their corresponding group memberships.
    • The Panorama collects group mapping information by connecting directly to the LDAP server and then distribute it to the Cloud NGFW.
    For Cloud NGFW deployment, we recommend using the Server Monitoring using Palo Alto Networks Terminal Server Agent or a windows-based agent running on a domain server in the network.
    1. Enable User-ID.
      1. Log in to Panorama.
      2. Select NetworkZones and click the zone Name.
      3. Enable User Identification and click OK.
    2. Create a Dedicated Service Account for the User-ID Agent.
    3. Map Users to Groups.
    4. Configure IP address mapping to Users. The Cloud NGFW for Azure supports IP-to-user mapping using the Windows User-ID agent or Terminal Server Agent.
    5. Specify the networks to include and exclude from user mapping.
      As a best practice, always specify which networks to include and exclude from User-ID. This allows you to ensure that only your trusted assets are probed and that unwanted user mappings are not created unexpectedly.
      1. Select NetworkZones and select Zone where you're configuring User-ID.
      2. Add your networks to Include and Exclude lists as needed.
      3. Click OK.
    6. Enable user and group based policy enforcement.
      After enabling User-ID on your Cloud NGFW, you can use a username or group name as the source or destination of a security policy rule.
      1. Select PoliciesSecurity and click Add to create a new security policy rule or click a security policy name to modify an existing rule.
      2. Select User and specify which users and groups to match in the rule in one of the following ways.
        • If you want to select specific users or groups as matching criteria, click Add in the Source User section to display a list of users and groups discovered by the firewall group mapping function. Select the users or groups to add to the rule.
        • If you want to match any user who has or has not authenticated and you don’t need to know the specific user or group name, select known-user or unknown from the drop-down above the Source User list.
      3. Configure the rest of the rule as appropriate and then click OK to save it. For details on other fields in the security rule, see Set Up a Basic Security Policy.
      Create rules based on group rather than user whenever possible. This prevents you from having to continually update your rules (which requires a commit) whenever your user base changes.
    7. Create the security policy rules to safely enable User-ID within your trusted zones and prevent User-ID traffic from egressing your network.
      Follow the Best Practice Internet Gateway Security Policy to ensure that the User-ID application (paloalto-userid-agent) is only allowed in the zones where your agents (both your Windows agents and your PAN-OS integrated agents) are monitoring services and distributing mappings to firewalls. Specifically:
      • Allow the paloalto-userid-agent application between the zones where your agents reside and the zones where the monitored servers reside (or even better, between the specific systems that host the agent and the monitored servers).
      • Allow the paloalto-userid-agent application between the agents and the firewalls that need the user mappings and between firewalls that are redistributing user mappings and the firewalls they are redistributing the information to.
      Deny the paloalto-userid-agent application to any external zone, such as your internet zone.
      As a best practice, always enable the Enable Config Sync option for an HA configuration to ensure that the group mappings and user mappings are synchronized between the active and passive firewall.
    8. Commit your changes.

    Limitations

    • For a Large scale network, instead of configuring all Firewalls to directly query the mapping information sources, you can streamline resource usage by configuring some firewall to collect mapping information through redistribution. For Cloud NGFW in Azure, the redistribution of user mapping information functionality is not supported.
    • Authentication and Authorization policy is not supported.
    • The PAN-OS based agent method for User-ID mapping is not supported.
    • The XML-API method for User-ID mapping is not supported.

    © 2024 Palo Alto Networks, Inc. All rights reserved.