Enable User-ID on the Cloud NGFW for Azure
Table of Contents
Enable User-ID on the Cloud NGFW for Azure
Learn how to enable User-ID on the Cloud NGFW for Azure.
The user identity, as opposed to an IP address, is an integral component of
an effective security infrastructure. Knowing who is using each of the applications
on your network, and who may have transmitted a threat or is transferring files, can
strengthen security policies and reduce incident response times. User-ID™, a
standard feature on the Palo Alto Networks firewall, enables you to leverage user
information stored in a wide range of repositories. See PAN-OS documentation learn more about
User-ID concepts.
To enforce policy from User-ID or Groups:
- Firewall must be able to map the IP addresses to the usernames.
- User-ID provides various mechanisms for collecting the user mapping information. To learn more, click here.
- If the mapping methods are unable to capture the mapping, then you can configure the Authentication Policy to redirect users to an Authentication portal login. Users can provide credentials which will be checked against the identity provider and enforce access accordingly. Learn more about Authentication policy here.
Cloud NGFW today supports Server Monitoring mapping via
agent install only.
To enable Users and Groups based policy:
- The Firewall requires a list of all available users and their corresponding group memberships.
- The Panorama collects group mapping information by connecting directly to the LDAP server and then distribute it to the Cloud NGFW.
For Cloud NGFW deployment, we recommend using the Server Monitoring using Palo Alto
Networks Terminal Server Agent or a windows-based agent running on a domain server
in the network.
- Enable User-ID.
- Log in to Panorama.
- Select and click the zoneName.
- Enable User Identificationand clickOK.
- Configure IP address mapping to Users. The Cloud NGFW for Azure supports IP-to-user mapping using the Windows User-ID agent or Terminal Server Agent.
- Specify the networks to include and exclude from user mapping.As a best practice, always specify which networks to include and exclude from User-ID. This allows you to ensure that only your trusted assets are probed and that unwanted user mappings are not created unexpectedly.
- Select and select Zone where you're configuring User-ID.
- Add your networks toIncludeandExcludelists as needed.
- ClickOK.
![]()
- Enable user and group based policy enforcement.After enabling User-ID on your Cloud NGFW, you can use a username or group name as the source or destination of a security policy rule.
- Select and clickAddto create a new security policy rule or click a security policy name to modify an existing rule.
- Select User and specify which users and groups to match in the rule in one of the following ways.
- If you want to select specific users or groups as matching criteria, clickAddin the Source User section to display a list of users and groups discovered by the firewall group mapping function. Select the users or groups to add to the rule.
- If you want to match any user who has or has not authenticated and you don’t need to know the specific user or group name, selectknown-userorunknownfrom the drop-down above the Source User list.
- Configure the rest of the rule as appropriate and then clickOKto save it. For details on other fields in the security rule, see Set Up a Basic Security Policy.
Create rules based on group rather than user whenever possible. This prevents you from having to continually update your rules (which requires a commit) whenever your user base changes. - Create the security policy rules to safely enable User-ID within your trusted zones and prevent User-ID traffic from egressing your network.Follow the Best Practice Internet Gateway Security Policy to ensure that the User-ID application (paloalto-userid-agent) is only allowed in the zones where your agents (both your Windows agents and your PAN-OS integrated agents) are monitoring services and distributing mappings to firewalls. Specifically:
- Allow thepaloalto-userid-agentapplication between the zones where your agents reside and the zones where the monitored servers reside (or even better, between the specific systems that host the agent and the monitored servers).
- Allow thepaloalto-userid-agentapplication between the agents and the firewalls that need the user mappings and between firewalls that are redistributing user mappings and the firewalls they are redistributing the information to.
Deny thepaloalto-userid-agentapplication to any external zone, such as your internet zone.As a best practice, always enable theEnable Config Syncoption for an HA configuration to ensure that the group mappings and user mappings are synchronized between the active and passive firewall. - Commityour changes.
Limitations
- For a Large scale network, instead of configuring all Firewalls to directly query the mapping information sources, you can streamline resource usage by configuring some firewall to collect mapping information through redistribution. For Cloud NGFW in Azure, the redistribution of user mapping information functionality is not supported.
- Authentication and Authorization policy is not supported.
- The PAN-OS based agent method for User-ID mapping is not supported.
- The XML-API method for User-ID mapping is not supported.