Configure the PAN-OS Integrated User-ID Agent as a Syslog Listener
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 9.1
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1
Configure the PAN-OS Integrated User-ID Agent as a Syslog Listener
To configure the PAN-OS Integrated User-ID
agent to create new user mappings and remove outdated mappings through
syslog monitoring, start by defining Syslog Parse profiles. The
User-ID agent uses the profiles to find login and logout events
in syslog messages. In environments where syslog senders (the
network services that authenticate users) deliver syslog messages
in different formats, configure a profile for each syslog format.
Syslog messages must meet certain criteria for a User-ID agent to
parse them (see Syslog).
This procedure uses examples with the following formats:
- Login events—[Tue Jul 5 13:15:04 2016 CDT] Administratorauthentication success User:johndoe1 Source:192.168.3.212
- Logout events—[Tue Jul 5 13:18:05 2016CDT] User logout successful User:johndoe1 Source:192.168.3.212
After
configuring the Syslog Parse profiles, you specify syslog senders
for the User-ID agent to monitor.
- Determine whether there is a predefined Syslog Parse profile for your particular syslog senders.Palo Alto Networks provides several predefined profiles through Application content updates. The predefined profiles are global to the firewall, whereas custom profiles apply to a single virtual system only.Any new Syslog Parse profiles in a given content release is documented in the corresponding release note along with the specific regex used to define the filter.
- Install the latest Applications or Applications and Threats update:
- SelectandDeviceDynamic UpdatesCheck Now.
- DownloadandInstallany new update.
- Determine which predefined Syslog Parse profiles are available:
- Selectand clickDeviceUser IdentificationUser MappingAddin the Server Monitoring section.
- Set theTypetoSyslog Senderand clickAddin the Filter section. If the Syslog Parse profile you need is available, skip the steps for defining custom profiles.
- Define custom Syslog Parse profiles to create and delete user mappings.Each profile filters syslog messages to identify either login events (to create user mappings) or logout events (to delete mappings), but no single profile can do both.
- Review the syslog messages that the syslog sender generates to identify the syntax for login and logout events. This enables you to define the matching patterns when creating Syslog Parse profiles.While reviewing syslog messages, also determine whether they include the domain name. If they don’t, and your user mappings require domain names, enter theDefault Domain Namewhen defining the syslog senders that the User-ID agent monitors (later in this procedure).
- Selectand edit the Palo Alto Networks User-ID Agent Setup.DeviceUser IdentificationUser Mapping
- SelectSyslog FiltersandAdda Syslog Parse profile.
- Enter a name to identify theSyslog Parse Profile.
- Select theTypeof parsing to find login or logout events in syslog messages:
- Regex Identifier—Regular expressions.
- Field Identifier—Text strings.
The following steps describe how to configure these parsing types.
- (Regex Identifier parsing only) Define the regex matching patterns.If the syslog message contains a standalone space or tab as a delimiter, use\sfor a space and\tfor a tab.
- Enter theEvent Regexfor the type of events you want to find:
- Login events—For the example message, the regex(authentication\ success){1}extracts the first{1}instance of the stringauthenticationsuccess.
- Logout events—For the example message, the regex(logout\ successful){1}extracts the first{1}instance of the stringlogoutsuccessful.
The backslash (\) before the space is a standard regex escape character that instructs the regex engine not to treat the space as a special character. - Enter theUsername Regexto identify the start of the username.In the example message, the regexUser:([a-zA-Z0-9\\\._]+)matches the stringUser:johndoe1and identifiesjohndoe1as the username.
- Enter theAddress Regexto identify the IP address portion of syslog messages.In the example message, the regular expressionSource:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})matches the IPv4 addressSource:192.168.3.212.The following is an example of a completed Syslog Parse profile that uses regex to identify login events:
- ClickOKtwice to save the profile.
- (Field Identifier parsing only) Define string matching patterns.
- Enter anEvent Stringto identify the type of events you want to find.
- Login events—For the example message, the stringauthentication successidentifies login events.
- Logout events—For the example message, the stringlogoutsuccessfulidentifies logout events.
- Enter aUsername Prefixto identify the start of the username field in syslog messages. The field does not support regex expressions such as \s (for a space) or \t (for a tab).In the example messages,User:identifies the start of the username field.
- Enter theUsername Delimiterthat indicates the end of the username field in syslog messages. Use\sto indicate a standalone space (as in the sample message) and\tto indicate a tab.
- Enter anAddress Prefixto identify the start of the IP address field in syslog messages. The field does not support regex expressions such as \s (for a space) or \t (for a tab).In the example messages,Source:identifies the start of the address field.
- Enter theAddress Delimiterthat indicates the end of the IP address field in syslog messages.For example, enter\nto indicate the delimiter is a line break.The following is an example of a completed Syslog Parse profile that uses string matching to identify login events:
- ClickOKtwice to save the profile.
- Specify the syslog senders that the firewall monitors.Within the total maximum of 100 monitored servers per firewall, you can define no more than 50 syslog senders for any single virtual system.The firewall discards any syslog messages received from senders that are not on this list.
- SelectandDeviceUser IdentificationUser MappingAddan entry to the Server Monitoring list.
- Enter aNameto identify the sender.
- Make sure the sender profile isEnabled(default is enabled).
- Set theTypetoSyslog Sender.
- Enter theNetwork Address(IP address) of the syslog sender.
- SelectSSL(default) orUDPas theConnection Type.To select the TLS certificate that the firewall uses to receive syslog messages, select.DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent SetupEditthe settings and selectServer Monitor, then select theSyslog Service Profilethat contains the TLS certificate you want to the firewall to use to receive syslog messages.The PAN-OS integrated User-ID agent accepts syslogs over SSL and UDP only. However, you must use caution when using UDP to receive syslog messages because it is an unreliable protocol and as such there is no way to verify that a message was sent from a trusted syslog sender. Although you can restrict syslog messages to specific source IP addresses, an attacker can still spoof the IP address, potentially allowing the injection of unauthorized syslog messages into the firewall.Always use SSL to listen for syslog messages because the traffic is encrypted (UDP sends the traffic in cleartext). If you must use UDP, make sure that the syslog sender and client are both on a dedicated, secure network to prevent untrusted hosts from sending UDP traffic to the firewall.A syslog sender using SSL to connect will show a Status of Connected only when there is an active SSL connection. Syslog senders using UDP will not show a Status value.
- For each syslog format that the sender supports,Adda Syslog Parse profile to the Filter list. Select theEvent Typethat each profile is configured to identify:login(default) orlogout.
- (Optional) If the syslog messages don’t contain domain information and your user mappings require domain names, enter aDefault Domain Nameto append to the mappings.
- ClickOKto save the settings.
- Enable syslog listener services on the interface that the firewall uses to collect user mappings.
- Selectand edit an existing Interface Management profile orNetworkNetwork ProfilesInterface MgmtAdda new profile.
- SelectUser-ID Syslog Listener-SSLorUser-ID Syslog Listener-UDPor both, based on the protocols you defined for the syslog senders in the Server Monitoring list.The listening ports (514 for UDP and 6514 for SSL) are not configurable; they are enabled through the management service only.
- ClickOKto save the interface management profile.Even after enabling the User-ID Syslog Listener service on the interface, the interface only accepts syslog connections from senders that have a corresponding entry in the User-ID monitored servers configuration. The firewall discards connections or messages from senders that are not on the list.
- Assign the Interface Management profile to the interface that the firewall uses to collect user mappings:
- Selectand edit the interface.NetworkInterfaces
- Select, select the InterfaceAdvancedOther infoManagement Profileyou just added, and clickOK.
- Commityour changes.
- Verify that the firewall adds and deletes user mappings when users log in and out.You can use CLI commands to see additional information about syslog senders, syslog messages, and user mappings.
- Log in to a client system for which a monitored syslog sender generates login and logout event messages.
- Verify that the firewall mapped the login username to the client IP address:>show user ip-user-mapping ip <ip-address>IP address: 192.0.2.1 (vsys1) User: localdomain\username From: SYSLOG
- Log out of the client system.
- Verify that the firewall deleted the user mapping:>show user ip-user-mapping ip <ip-address>No matched record