Configure User-ID and User-Based Policies with GlobalProtect Cloud Service

To consistently enforce user-based policy for all mobile users and users at remote network locations, you must configure User-ID to map IP addresses to User IDs for your remote network locations, then configure User-ID redistribution to redistribute the IP address-to-user mapping to all on-premise firewalls that secure access to network resources. The User-ID mapping for the users in remote network locations ensures consistent policy enforcement across remote networks. Mobile users are automatically mapped by the GlobalProtect agent in GlobalProtect cloud service.
For mobile users to access a resource on a remote network location or HQ/data center that is secured with a next-generation firewall with user-based policies, you must redistribute User-ID mappings from the GlobalProtect cloud service that secures the remote network location or HQ/data center. When the user connects to the GlobalProtect cloud service, it collects this user-to-IP address mapping and stores it.
For users at a firewall-secured branch location or HQ/data center to access a resource at another branch location that you have secured with the GlobalProtect cloud service, you must redistribute User-ID mappings from the GlobalProtect cloud service that secures the remote network location or HQ/data center.
Use the following workflow to configure User-ID for the GlobalProtect cloud service and redistribute that information to ensure consistent policy enforcement across remote networks.

Configure User-ID for the GlobalProtect Cloud Service for Remote Networks

The process for retrieving User-ID information for GlobalProtect cloud service is similar to configuring User-ID for on-premise Palo Alto Networks next-generation firewalls. Use the following workflow to configure User ID-to-IP address mapping for GlobalProtect cloud service.
  1. Map IP addresses to users in the GlobalProtect cloud service.

Configure User-ID for the GlobalProtect Cloud Service Using the PAN-OS Integrated User-ID Agent

The following procedure shows how to configure the PAN-OS integrated User-ID agent on the firewall for IP address-to-username mapping. The integrated User-ID agent performs the same tasks as the Windows-based agent with the exception of NetBIOS client probing (WMI probing is supported).
  1. Create the User-ID service account in the Windows Active Directory (AD) server that is being used by the authentication server.
    Be sure that the user you create is part of the following groups:
    • Distributed COM Users
    • Event Log Readers
      If you are configuring the account in Windows 2003, the Event Log Readers group does not exist; instead, create a group policy and give the user Audit and manage security log permissions.
    • Server Operators
    agentless-user-id-userid-user.png
    We recommend only making these group associations. You do not have to configure Domain Admin or Enterprise Admin privileges for the User-ID service account to work correctly. Giving privileges to the account that aren’t required can give your network a larger attack surface.
  2. Configure Windows Management Instrumentation (WMI) on the AD server.
    The device uses WMI Authentication and you must modify the CIMV2 security properties on the AD server that connects to the device.
    1. Open a command prompt window and run the wmimgmt.msc command.
    2. In the WMI Control pane, right-click WMI Control, choose Properties, and select the Security tab.
      agentless-user-id-wmi-properties.png
  3. Make the following changes in the CIMV2 folder:
    1. Select the CIMV2 folder.
    2. Click Security.
    3. Click Add
    4. Select the service account you created in Step 1.
      This example uses the UserID user with the email of userid@example.com.
    5. Check Allow for the Enable Account and Remote Enable for the account you created.
    6. Click Apply.
    7. Click OK.
      agentless-user-id-cimv2-config.png
  4. In Panorama, select DeviceUser IdentificationUser Mapping and click the gear icon to edit the settings.
    agentless-user-id-user-mapping-edit-settings.png
  5. Make the following changes to the Palo Alto Networks User-ID Agent Setup settings:
    1. Select WMI Authentication and enter the domain and username (in the format domain/username) for the User-ID service account, along with a valid password.
      agentless-user-id-wmi-authentication.png
    2. (Optional) Select Server Monitor and change the default settings, if required.
      • To disable security log monitoring on Windows servers, deselect Enable Security Log.
      • To enable monitoring of user sessions on the monitored servers, select Enable Session.
    3. (Optional) Select Client Probing and select Enable Probing to enable WMI probing.
    4. Click OK to exit from the Palo Alto Networks User-ID Agent Setup.
  6. If you have not done so already, click Add in the Server Monitoring area and add a Name, Description, Type, and Network Address for the server you need to monitor.
    agentless-user-id-user-id-monitored-server.png
  7. Confirm that the server is connected.
    • To confirm using CLI commands, enter the show user server-monitor statistics command.
      username@hostname> show user server-monitor statistics
      Directory Servers:  
      Name                        TYPE    Host        Vsys    Status           
      ---------------------------------------------------------------   
      exampleadserver.example.com  AD exampleadserver.example.com vsys1 Connected
    • To confirm using Panorama, check the Status of the server.
      agentless-user-id-server-monitoring-status.png

Redistribute User-ID Information for Mobile Users and Remote Networks

After you configure User-ID, you consistently enforce user-based policy for all mobile users and users at remote network locations by configuring User-ID redistribution to redistribute the IP address-to-user mapping to all the firewalls that secure access to network resources.
You can redistribute User-ID mapping to both mobile users and users in remote networks from an on-premise next-generation firewall by using either of the following methods, depending on the direction in which you want to redistribute the User-IDs:
  • In cases where mobile users need to access a resource on a remote network location or HQ/data center and the resource is secured by an on-premise next-generation firewall with user-based policies, you must redistribute User-ID mappings from the GlobalProtect cloud service that secures the remote network location or HQ/data center to the on-premise firewall. When the user connects to the GlobalProtect cloud service, it collects this user-to-IP address mapping and stores it.
    The following figure shows two mobile users that have an existing User-ID-to-IP address mapping in the GlobalProtect cloud service. The GlobalProtect cloud service then redistributes this mapping to the on-premise firewall that protects the HQ/data center that is connected to the GlobalProtect cloud service with a service connection.
    gpcs-use-case-userid-to-on-prem.png
  • In cases where users are at a branch location or HQ that is secured by an on-premise next-generation firewall with user-based policies, and they need to access resources at another branch location that you have secured with the GlobalProtect cloud service, you must redistribute User-ID mappings from the on-premise firewall to the GlobalProtect cloud service.
    The following figure shows an HQ/Data center with an on-premise next-generation firewall with existing User-ID-to-IP address mapping. The GlobalProtect cloud service connects to the firewall with a service connection, and the on-premise firewall redistributes the mapping to the GlobalProtect cloud service.
    gpcs-use-case-userid-to-gpcs.png

Related Documentation