User-ID provides many different methods for mapping IP addresses to usernames. Before you begin configuring user mapping, consider where your users are logging in from, what services they are accessing, and what applications and data you need to control access to. This will inform which types of agents or integrations would best allow you to identify your users. For guidance, refer to Architecting User Identification Deployments.
Once you have your plan, you can begin configuring user mapping using one or more of the following methods as needed to enable user-based access and visibility to applications and resources:
To map users as they log in to your Exchange servers, domain controllers, eDirectory servers, or Windows clients you must configure a User-ID agent: Configure User Mapping Using the PAN-OS Integrated User-ID Agent Configure User Mapping Using the Windows User-ID Agent If you have clients running multi-user systems in a Windows environment, such as Microsoft Terminal Server or Citrix Metaframe Presentation Server or XenApp, Configure the Palo Alto Networks Terminal Services Agent for User Mapping. For a multi-user system that doesn’t run on Windows, you can Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API. To obtain user mappings from existing network services that authenticate users—such as wireless controllers, 802.1x devices, Apple Open Directory servers, proxy servers, or other Network Access Control (NAC) mechanisms— Configure User-ID to Receive User Mappings from a Syslog Sender.
While you can configure either the Windows agent or the PAN-OS integrated User-ID agent on the firewall to listen for authentication syslog messages from the network services, because only the PAN-OS integrated agent supports syslog listening over TLS, it is the preferred configuration.
If you have users with client systems that aren’t logged in to your domain servers—for example, users running Linux clients that don’t log in to the domain—you can Map IP Addresses to Usernames Using Captive Portal. For other clients that you can’t map using the other methods, you can Send User Mappings to User-ID Using the XML API. A large-scale network can have hundreds of information sources that firewalls query for user and group mapping and can have numerous firewalls that enforce policies based on the mapping information. You can simplify User-ID administration for such a network by aggregating the mapping information before the User-ID agents collect it. You can also reduce the resources that the firewalls and information sources use in the querying process by configuring some firewalls to redistribute the mapping information. For details, see Deploy User-ID in a Large-Scale Network.

Related Documentation