Use the Server Monitoring section to Add server
profiles that specify the servers the firewall will monitor.
Configure at least two User-ID monitored
servers so if a server goes down, the firewall can still learn IP-address-to-username
mappings.
The complete procedure to
configure the PAN-OS integrated User-ID agent to monitor servers
requires additional tasks besides creating server profiles.
Server Monitoring Settings
Description
Name
Enter a name for the server.
Description
Enter a description of the server.
Enabled
Select this option to enable log monitoring
for this server.
Type
Select the server type. Your selection determines
which other fields this dialog displays.
Microsoft
Active Directory
Microsoft Exchange
Novell eDirectory
Syslog Sender
Transport Protocol (Microsoft Active Directory and
Microsoft Exchange only)
Select the transport protocol:
WMI—(default)
Use Windows Management Instrumentation (WMI) to probe each learned
IP address and verify that the same user is still logged in.
Win-RM-HTTP—Use Windows Remote Management
(WinRM) over HTTP to monitor the security logs and session information
on the server. This option requires the Kerberos Domain’s
DNS Name in the Server Monitor Account.
Win-RM-HTTPS—Use Windows Remote Management
(WinRM) over HTTPS to monitor the security logs and session information
on the server. To require server certificate validation with the
Windows server when using Kerberos authentication, make sure you configure
NTP in the Global Services Settings and select the
Root CA as the certificate profile (Device
> User Identification > Connection Security).
Network Address
Enter the server IP address or FQDN for
the monitored server. If you use Kerberos for server authentication,
you must enter an FQDN. This option is not supported when the Type is Novell eDirectory.
Select whether the User-ID agent listens
for syslog messages on the UDP port (514)
or the SSL port (6514). If you select SSL,
the Syslog Service Profile you select when
you enable Server
Monitoring determines which SSL/TLS versions are allowed
and the certificate that the firewall uses to secure a connection
to the syslog sender.
As a security
best practice, select SSL when using the
PAN-OS integrated User-ID agent to map IP addresses to usernames.
If you select UDP, ensure that the syslog
sender and client are both on a dedicated, secure network to prevent
untrusted hosts from sending UDP traffic to the firewall.
Filter
(Syslog Sender only)
If the server Type is Syslog Sender,
then Add one or more Syslog Parse profiles
to use for extracting usernames and IP addresses from the syslog
messages received from this server. You can add a custom profile
(see Syslog
Filters) or a predefined profile. For each profile, set the Event
Type:
login—The
User-ID agent parses syslog messages for login events to create
user mappings.
logout—The User-ID agent parses syslog
messages for logout events to delete user mappings that are no longer current.
In networks where IP address assignment is dynamic, automatic deletion
improves the accuracy of user mappings by ensuring that the agent maps
each IP address only to the currently associated user.
If you add a predefined Syslog Parse profile,
check its name to determine whether it is intended to match login
or logout events.
Default Domain Name
(Syslog Sender only)
(Optional) If the server Type is Syslog
Sender, enter a domain name to override the current
domain name in the username of your syslog message or prepend the domain
to the username if your syslog message doesn’t contain a domain.
