In most cases, the majority of your network users will have logins to your monitored domain services. For these users, the Palo Alto Networks User-ID agent monitors the servers for login events and performs the IP address to username mapping. The way you configure the User-ID agent depends on the size of your environment and the location of your domain servers. As a best practice, locate your User-ID agents near the servers it will monitor (that is, the monitored servers and the Windows User-ID agent should not be across a WAN link from each other). This is because most of the traffic for user mapping occurs between the agent and the monitored server, with only a small amount of traffic—the delta of user mappings since the last update—from the agent to the firewall.
The following topics describe how to install and configure the User-ID Agent and how to configure the firewall to retrieve user mapping information from the agent:
Install the User-ID Agent
The following procedure shows how to install the User-ID agent on a member server in the domain and set up the service account with the required permissions. If you are upgrading, the installer will automatically remove the older version, however, it is a good idea to back up the config.xml file before running the installer.
For information about the system requirements for installing the Windows-based User-ID agent and for information on supported server OS versions, refer to “Operating System (OS) Compatibility User-ID Agent” in the User-ID Agent Release Notes.
Install the Windows User-ID Agent
Create a dedicated Active Directory service account for the User-ID agent to access the services and hosts it will monitor to collect user mappings. Create a Dedicated Service Account for the User-ID Agent. Add the service account to the Event Log Reader builtin group to enable privileges to read the security log events. Run the MMC and launch the Active Directory Users and Computers snap-in. Navigate to the Builtin folder for the domain, right-click the Event Log Reader group and select Add to Group to open the properties dialog. Click Add and enter the name of the service account that you configured the User-ID service to use, then click Check Names to validate that you have the proper object name. Click OK twice to save the settings. Enable the service account to log on as a service. Select Group Policy Management > Default Domain Controller Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Right-click Log on as a service, then select Properties. Add the service account username or builtin group (Administrators have this privilege by default.).
Decide where to install the User-ID agent. The User-ID agent queries the Domain Controller and Exchange server logs using Microsoft Remote Procedure Calls (MSRPCs), which require a complete transfer of the entire log at each query. Therefore, always install one or more User-ID agents at each site that has servers to be monitored. For more detailed information on where to install User-ID agents, refer to Architecting User Identification (User-ID) Deployments. You must install the User-ID agent on a system running one of the supported OS versions: see “Operating System (OS) Compatibility User-ID Agent” in the User-ID Agent Release Notes. Make sure the system that will host the User-ID agent is a member of the same domain as the servers it will monitor. As a best practice, install the User-ID agent close to the servers it will be monitoring (there is more traffic between the User-ID agent and the monitored servers than there is between the User-ID agent and the firewall, so locating the agent close to the monitored servers optimizes bandwidth usage). To ensure the most comprehensive mapping of users, you must monitor all domain controllers that process authentication for users you want to map. You might need to install multiple User-ID agents to efficiently monitor all of your resources.
Download the User-ID agent installer. Install the User-ID agent version that is the same as the PAN-OS version running on the firewalls. If there is not a User-ID agent version that matches the PAN-OS version, install the latest version that is closest to the PAN-OS version. For example, if you are running PAN-OS 7.1 on your firewalls, install User-ID agent version 7.0. Log in to the Palo Alto Networks Customer Support web site. Select Software Updates from the Manage Devices section. Scroll to the User Identification Agent section of the screen and Download the version of the User-ID agent you want to install. Save the UaInstall-x.x.x-xx.msi file on the system(s) where you plan to install the agent.
Run the installer as an administrator. Open the Windows Start menu, right-click the Command Prompt program, and select Run as administrator. From the command line, run the .msi file you downloaded. For example, if you saved the .msi file to the Desktop you would enter the following: C:\Users\administrator.acme>cd Desktop C:\Users\administrator.acme\Desktop>UaInstall-6.0.0-1.msi Follow the setup prompts to install the agent using the default settings. By default, the agent gets installed to the C:\Program Files (x86)\Palo Alto Networks\User-ID Agent folder, but you can Browse to a different location. When the installation completes, Close the setup window.
Launch the User-ID Agent application. Open the Windows Start menu and select User-ID Agent.
( Optional ) Change the service account that the User-ID agent uses to log in. By default, the agent uses the administrator account used to install the .msi file. However, you may want to switch this to a restricted account as follows: Select User Identification > Setup and click Edit. Select the Authentication tab and enter the service account name that you want the User-ID agent to use in the User name for Active Directory field. Enter the Password for the specified account. Commit the changes to the User-ID agent configuration to restart the service using the service account credentials.
( Optional ) Assign account permissions to the installation folder. You only need to perform this step if the service account you configured for the User-ID agent is not either a domain administrator or a local administrator on the User-ID agent server host. Give the service account permissions to the installation folder: From the Windows Explorer, navigate to C:\Program Files\Palo Alto Networks and right-click the folder and select Properties. On the Security tab, click Edit, then Add the User-ID agent service account and assign it permissions to Modify, Read & execute, List folder contents, Read, and Write and then click OK to save the account settings. Give the service account permissions to the User-ID Agent registry sub-tree: Run regedit32 and navigate to the Palo Alto Networks sub-tree in one of the following locations: 32-bit systems HKEY_LOCAL_MACHINE\Software\ Palo Alto Networks 64-bit systems HKEY_LOCAL_MACHINE\Software\ WOW6432Node\Palo Alto Networks Right-click the Palo Alto Networks node and select Permissions. Assign the User-ID service account Full Control and then click OK to save the setting. On the domain controller, add the service account to the builtin groups to enable privileges to read the security log events (Event Log Reader group) and open sessions (Server Operator group): Run the MMC and Launch the Active Directory Users and Computers snap-in. Navigate to the Builtin folder for the domain and then right-click each group you need to edit (Event Log Reader and Server Operator) and select Add to Group to open the properties dialog. Click Add and enter the name of the service account that you configured the User-ID service to use and then click Check Names to validate that you have the proper object name. Click OK twice to save the settings.
Configure the User-ID Agent for User Mapping
The Palo Alto Networks User-ID agent is a Windows service that connects to servers on your network—for example, Active Directory servers, Microsoft Exchange servers, and Novell eDirectory servers—and monitors the logs for login events. The agent uses this information to map IP addresses to usernames. Palo Alto Networks firewalls connect to the User-ID agent to retrieve this user mapping information, enabling visibility into user activity by username rather than IP address and enables user- and group-based security enforcement.
For information about the server OS versions supported by the User-ID agent, refer to “Operating System (OS) Compatibility User-ID Agent” in the User-ID Agent Release Notes.
Map IP Addresses to Users Using the Windows-based User-ID Agent
Define the servers the User-ID agent will monitor to collect IP address to user mapping information. The User-ID agent can monitor up to 100 servers, of which up to 50 can be syslog senders. To collect all of the required mappings, the User-ID agent must connect to all servers that your users log in to in order to monitor the security log files on all servers that contain login events. Open the Windows Start menu and select User-ID Agent. Select User Identification > Discovery. In the Servers section of the screen, click Add. Enter a Name and Server Address for the server to be monitored. The network address can be a FQDN or an IP address. Select the Server Type ( Microsoft Active Directory, Microsoft Exchange, Novell eDirectory, or Syslog Sender) and then click OK to save the server entry. Repeat this step for each server to be monitored. ( Optional ) To enable the firewall to automatically discover domain controllers on your network using DNS lookups, click Auto Discover. Auto-discovery locates domain controllers in the local domain only; you must manually add Exchange servers, eDirectory servers, and syslog senders. ( Optional ) To tune the frequency at which the firewall polls configured servers for mapping information, select User Identification > Setup and Edit the Setup section. On the Server Monitor tab, modify the value in the Server Log Monitor Frequency (seconds) field. Increase the value in this field to 5 seconds in environments with older Domain Controllers or high-latency links. Ensure that the Enable Server Session Read setting is not selected. This setting requires that the User-ID agent have an Active Directory account with Server Operator privileges so that it can read all user sessions. Instead, use a Syslog or XML API integration to monitor sources that capture login and logout (XML API only) events for all device types and operating systems (instead of just Windows), such as wireless controllers and Network Access Controllers (NACs). Click OK to save the settings.
Specify the subnetworks the Windows User-ID agent should include in or exclude from User-ID. By default, the User-ID maps all users accessing the servers you are monitoring. As a best practice, always specify which networks to include and exclude from User-ID to ensure that the agent is only communicating with internal resources and to prevent unauthorized users from being mapped. You should only enable User-ID on the subnetworks where users internal to your organization are logging in. Select User Identification > Discovery. Add an entry to the Include/Exclude list of configured networks and enter a Name for the entry and enter the IP address range of the subnetwork in as the Network Address. Select whether to include or exclude the network: Include specified network —Select this option if you want to limit user mapping to users logged in to the specified subnetwork only. For example, if you include, the agent maps the users on that subnetwork and excludes all others. If you want the agent to map users in other subnetworks, you must repeat these steps to add additional networks to the list. Exclude specified network —Select this option only if you want the agent to exclude a subset of the subnetworks you added for inclusion. For example, if you include and exclude, the agent will map users on all the subnetworks of except, and will exclude all subnetworks outside of If you add subnetworks for exclusion without adding any for inclusion, the agent will not perform user mapping in any subnetwork. Click OK.
( Optional ) If you configured the agent to connect to a Novell eDirectory server, you must specify how the agent should search the directory. Select User Identification > Setup and click Edit in the Setup section of the window. Select the eDirectory tab and then complete the following fields: Search Base —The starting point or root context for agent queries, for example: dc=domain1, dc=example, dc=com . Bind Distinguished Name —The account to use to bind to the directory, for example: cn=admin, ou=IT, dc=domain1, dc=example, dc=com . Bind Password —The bind account password. The agent saves the encrypted password in the configuration file. Search Filter —The search query for user entries (default is objectClass=Person ). Server Domain Prefix —A prefix to uniquely identify the user. This is only required if there are overlapping name spaces, such as different users with the same name from two different directories. Use SSL —Select the check box to use SSL for eDirectory binding. Verify Server Certificate —Select the check box to verify the eDirectory server certificate when using SSL.
( Optional, not recommended ) Configure client probing. Do not enable client probing on high-security networks. Client probing can generate a large amount of network traffic and can pose a security threat when misconfigured. On the Client Probing tab, select the Enable WMI Probing check box and/or the Enable NetBIOS Probing check box. Make sure the Windows firewall will allow client probing by adding a remote administration exception to the Windows firewall for each probed client. For NetBIOS probing to work effectively, each probed client PC must allow port 139 in the Windows firewall and must also have file and printer sharing services enabled. Although client probing is not recommended, if you plan to enable it, WMI probing is preferred over NetBIOS whenever possible.
Save the configuration. Click OK to save the User-ID agent setup settings and then click Commit to restart the User-ID agent and load the new settings.
( Optional ) Define the set of users for which you do not need to provide IP address-to-username mappings, such as kiosk accounts. Use the ignore-user list to identify users whom you want to force to authenticate using Captive Portal. Save the ignore-user list as a text document using the title ignore_user_list and use the .txt file extension to save it to the User-ID Agent folder on the domain server where the agent is installed. List the user accounts to ignore; there is no limit to the number of accounts you can add to the list. Each user account name must be on a separate line. For example: SPAdmin SPInstall TFSReport You can use an asterisk as a wildcard character to match multiple usernames, but only as the last character in the entry. For example, corpdomain\it-admin* would match all administrators in the corpdomain domain whose usernames start with the string it-admin .
Configure the firewalls to connect to the User-ID agent. Complete the following steps on each firewall you want to connect to the User-ID agent to receive user mappings: Select Device > User Identification > User-ID Agents and click Add. Enter a Name for the User-ID agent. Enter the IP address of the Windows Host on which the User-ID Agent is installed. Enter the Port number (1-65535) on which the agent will listen for user mapping requests. This value must match the value configured on the User-ID agent. By default, the port is set to 5007 on the firewall and on newer versions of the User-ID agent. However, some older User-ID agent versions use port 2010 as the default. Make sure that the configuration is Enabled, then click OK. Commit the changes. Verify that the Connected status displays as connected (a green light).
Verify that the User-ID agent is successfully mapping IP addresses to usernames and that the firewalls can connect to the agent. Launch the User-ID agent and select User Identification. Verify that the agent status shows Agent is running. If the Agent is not running, click Start. To verify that the User-ID agent can connect to monitored servers, make sure the Status for each Server is Connected. To verify that the firewalls can connect to the User-ID agent, make sure the Status for each of the Connected Devices is Connected. To verify that the User-ID agent is mapping IP addresses to usernames, select Monitoring and make sure that the mapping table is populated. You can also Search for specific users, or Delete user mappings from the list.

Related Documentation