Configure
User-ID to Monitor Syslog Senders for User Mapping
Obtaining and maintaining updated User-ID mappings from reliable sources is critical to deploying
and enforcing a comprehensive Security policy. To obtain the IP address-to-username
mappings from your existing network services that authenticate users, you can configure
the PAN-OS integrated User-ID agent or Windows-based User-ID agent to parse
Syslog messages from those
authentication services. To ensure that you keep your user mappings up to date, you can
also configure the User-ID agent to parse syslog messages for logout events. This
ensures the firewall automatically deletes outdated mappings. Using syslog senders as
sources for User-ID mappings allows you even more possibilities for deployment
configurations.
To help you deploy your User-ID configuration, there are a number of
best practices available. When configuring
User-ID to obtain mappings from syslog senders, be sure to follow the
best practices for deployment as recommended
by Palo Alto Networks. Following these best practices helps to ensure that your
deployment is simple, efficient, and successful.
Make sure to allow traffic on the
ports used for User-ID to ensure that the
firewall can receive the messages from the syslog senders to be able to map the IP
addresses to usernames.
For more information, be sure to review the
User-ID concepts for syslog information, which
provides an example of a deployment that uses syslog messages as a source of User-ID
mapping information.
To configure the CN-Series to obtain user mappings from a
User-ID syslog sender source, use the dataplane interface. You can't use the management
interface to obtain user mappings from a syslog sender source with the CN-Series.