User-ID is
a feature that enables mapping of user IP addresses to usernames
and group memberships, enabling user- or group-based policy and
visibility into user activity on your network (for example, to be
able to quickly track down a user who may be the victim of a threat).
To perform this mapping, the firewall, the User-ID agent (either
installed on a Windows-based system or the PAN-OS integrated agent
running on the firewall), and/or the Terminal Server agent must be
able to connect to directory services on your network to perform Group
Mapping and User
Mapping. Additionally, if the agents are running on systems
external to the firewall, they must be able to connect to the firewall
to communicate the IP address to username mappings to the firewall.
The following table lists the communication requirements for User-ID
along with the port numbers required to establish connections.
Destination Port
Protocol
Description
389
TCP
Port the firewall uses to connect to an
LDAP server (plaintext or Start Transport Layer Security (Start TLS) to Map
Users to Groups.
3268
TCP
Port the firewall uses to connect to an
Active Directory global catalog server (plaintext or Start TLS) to Map
Users to Groups.
636
TCP
Port the firewall uses for LDAP over SSL
connections with an LDAP server to Map
Users to Groups.
3269
TCP
Port the firewall uses for LDAP over SSL
connections with an Active Directory global catalog server to Map
Users to Groups.
PAN-OS
integrated User-ID agent—Port 6514 for SSL and port 514 for UDP.
Windows-based User-ID agent—Port 514 for both TCP and UDP.
5007
TCP
Port the firewall listens on for user mapping
information. The agent sends the IP address and username mapping
along with a timestamp whenever it learns of a new or updated mapping.
In addition, it refreshes known mappings.
5006
TCP
Port the User-ID agent listens on for XML
API requests. The source for this communication is typically
the system running a script that invokes the API.
88
UDP/TCP
Port the User-ID agent uses to authenticate
to a Kerberos server. The firewall tries UDP first and falls back
to TCP.
1812
UDP
Port the User-ID agent uses to authenticate
to a RADIUS server.
49
TCP
Port the User-ID agent uses to authenticate
to a TACACS+ server.
135
TCP
Port the User-ID agent uses to establish
TCP-based WMI connections with the Microsoft Remote Procedure Call
(RPC) Endpoint Mapper. The Endpoint Mapper then assigns the agent
a randomly assigned port in the 49152-65535 port range. The agent uses
this connection to make RPC queries for Exchange Server or AD server
security logs, session tables. This is also the port used to access
Terminal Servers.
Port the User-ID agent uses to establish
TCP-based NetBIOS connections to the AD server so that it can send
RPC queries for security logs and session information.
445
TCP
Port the User-ID agent uses
to connect to the Active Directory (AD) using TCP-based SMB connections
to the AD server for access to user logon information (print spooler
and Net Logon).
5985
HTTP
Port the User-ID agent uses
to monitor security logs and session information with the WinRM
protocol over HTTP.
5986
HTTPS
Port the User-ID agent uses to monitor security
logs and session information with the WinRM protocol over HTTPS.
5009
TCP
Port the firewall uses to connect to the
Terminal Server Agent.
