Ports Used for User-ID
Focus
Focus

Ports Used for User-ID

Table of Contents

Ports Used for User-ID

User-ID is a feature that enables mapping of user IP addresses to usernames and group memberships, enabling user- or group-based policy and visibility into user activity on your network (for example, to be able to quickly track down a user who may be the victim of a threat). To perform this mapping, the firewall, the User-ID agent (either installed on a Windows-based system or the PAN-OS integrated agent running on the firewall), and/or the Terminal Server agent must be able to connect to directory services on your network to perform Group Mapping and User Mapping. Additionally, if the agents are running on systems external to the firewall, they must be able to connect to the firewall to communicate the IP address to username mappings to the firewall. The following table lists the communication requirements for User-ID along with the port numbers required to establish connections.
Destination Port
Protocol
Description
389
TCP
Port the firewall uses to connect to an LDAP server (plaintext or Start Transport Layer Security (Start TLS) to Map Users to Groups.
3268
TCP
Port the firewall uses to connect to an Active Directory global catalog server (plaintext or Start TLS) to Map Users to Groups.
636
TCP
Port the firewall uses for LDAP over SSL connections with an LDAP server to Map Users to Groups.
3269
TCP
Port the firewall uses for LDAP over SSL connections with an Active Directory global catalog server to Map Users to Groups.
514
6514
TCP
UDP
SSL
Port the User-ID agent listens on for authentication syslog messages if you Configure User-ID to Monitor Syslog Senders for User Mapping. The port depends on the type of agent and protocol:
  • PAN-OS integrated User-ID agent—Port 6514 for SSL and port 514 for UDP.
  • Windows-based User-ID agent—Port 514 for both TCP and UDP.
5007
TCP
Port the firewall listens on for user mapping information. The agent sends the IP address and username mapping along with a timestamp whenever it learns of a new or updated mapping. In addition, it refreshes known mappings.
5006
TCP
Port the User-ID agent listens on for XML API requests. The source for this communication is typically the system running a script that invokes the API.
88
UDP/TCP
Port the User-ID agent uses to authenticate to a Kerberos server. The firewall tries UDP first and falls back to TCP.
1812
UDP
Port the User-ID agent uses to authenticate to a RADIUS server.
49
TCP
Port the User-ID agent uses to authenticate to a TACACS+ server.
135
TCP
Port the User-ID agent uses to establish TCP-based WMI connections with the Microsoft Remote Procedure Call (RPC) Endpoint Mapper. The Endpoint Mapper then assigns the agent a randomly assigned port in the 49152-65535 port range. The agent uses this connection to make RPC queries for Exchange Server or AD server security logs, session tables. This is also the port used to access Terminal Servers.
The User-ID agent also uses this port to connect to client systems to perform Windows Management Instrumentation (WMI) probing.
139
TCP
Port the User-ID agent uses to establish TCP-based NetBIOS connections to the AD server so that it can send RPC queries for security logs and session information.
445
TCP
Port the User-ID agent uses to connect to the Active Directory (AD) using TCP-based SMB connections to the AD server for access to user logon information (print spooler and Net Logon).
5985
HTTP
Port the User-ID agent uses to monitor security logs and session information with the WinRM protocol over HTTP.
5986
HTTPS
Port the User-ID agent uses to monitor security logs and session information with the WinRM protocol over HTTPS.
5009
TCP
Port the firewall uses to connect to the Terminal Server Agent.