User-ID provides many different methods for mapping
IP addresses to usernames. Before you begin configuring user mapping,
consider where your users are logging in from, what services they
are accessing, and what applications and data you need to control
access to. This will inform which types of agents or integrations
would best allow you to identify your users.
Once you have your plan, you can begin configuring user mapping
using one or more of the following methods as needed to enable user-based
access and visibility to applications and resources:
While you can configure either the Windows
agent or the PAN-OS integrated User-ID agent on the firewall to
listen for authentication syslog messages from the network services,
because only the PAN-OS integrated agent supports syslog listening
over TLS, it is the preferred configuration.
To include the username and domain in the headers for outgoing
traffic so other devices in your network can identify the user and
enforce user-based policy, you can Insert Username in HTTP Headers.
A large-scale network can have hundreds of information sources
that firewalls query for user and group mapping and can have numerous
firewalls that enforce policies based on the mapping information.
You can simplify User-ID administration for such a network by aggregating
the mapping information before the User-ID agents collect it. You
can also reduce the resources that the firewalls and information
sources use in the querying process by configuring some firewalls
to redistribute the mapping information. For details, see Deploy
User-ID in a Large-Scale Network.