1. Home
    2. PAN-OS
    3. PAN-OS® Web Interface Reference Guide
    4. User Identification
    5. Device > User Identification > User-ID Agents
    End-of-Life (EoL)
    Previous
    Next
    The firewall can receive user mappings from Windows-based User-ID agents or from other firewalls serving as User-ID agents. You must configure access from the firewall to these User-ID agents.
    		 The complete procedures to configure user mapping using Windows-based User-ID agents and to configure user mapping redistribution require additional tasks.
    Manage Access to User-ID Agents Configure Access to User-ID Agents
    Manage Access to User-ID Agents
    Perform the following tasks for managing connections from the firewall to User-ID agents.
    Task Description
    Display information / Refresh Connected Select the Device > User Identification > User-ID Agents page to see whether the firewall is Connected to each User-ID agent. The Connected column displays a green icon to indicate a successful connection, a yellow icon to indicate a disabled connection, and a red icon to indicate a failed connection. If you think the connection status might have changed since you first opened the page, click Refresh Connected to update the status display. For the other fields that this page displays, see Configure Access to User-ID Agents.
    Add Click Add to Configure Access to User-ID Agents.
    Delete To remove the configuration that enables the firewall to connect to a User-ID agent, select the agent and click Delete. To disable access to a User-ID agent without deleting its configuration, edit it and clear Enabled.
    Custom Agent Sequence If you enable User-ID agents to perform NT LAN Manager (NTLM) authentication on behalf of the firewall, then by default the firewall communicates with the agents in the order you add them, from top to bottom (see the Use for NTLM Authentication field in Configure Access to User-ID Agents). To change the order, click Custom Agent Sequence, Add each agent, click Move Up or Move Down to reposition the agents, and click OK.
    Configure Access to User-ID Agents
    To configure the firewall to access a User-ID agent, click Add and complete the following fields.
    User-ID Agent Setting Description
    Name Enter a name (up to 31 characters) to identify the User-ID agent. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores. For a firewall serving as a User-ID agent for user mapping redistribution, this field does not have to match the Collector Name field.
    Host Windows-based User-ID agent—Enter the IP address of the Windows host on which the User-ID agent is installed. Firewall User-ID agent—Enter the hostname or IP address of the interface (service route) on the firewall that serves as a User-ID agent to redistribute user mappings to the firewall you are logged into. For details on service routes, see Device > Setup > Services.
    Port Enter the port number on which the User-ID agent will listen for User-ID requests. The default is 5007 but you can specify any available port. Different User-ID agents can use different ports. Some earlier versions of the User-ID agent use 2010 as the default port.
    Collector Name These fields apply only if the User-ID agent is another firewall that redistributes user mappings to the firewall you are logged into. Enter the Collector Name and Pre-Shared Key that are configured on the User-ID agent (see Enable Redistribution of User Mappings Among Firewalls). The firewall you are logged into uses the key to establish an SSL connection with the User-ID agent.
    Collector Pre-shared Key/Confirm Collector Pre-shared key
    Use as LDAP Proxy Select this option if you want the firewall to use this User-ID agent as a proxy for collecting group mapping information from a directory server. To use this option, you must also configure group mapping on the firewall (see Device > User Identification > Group Mapping Settings). The firewall pushes that configuration to the User-ID agent to enable it to collect the mapping information. This option is useful in deployments where the firewall cannot directly access the directory server. It is also useful in deployments that benefit from reducing the number of queries the directory server must process; multiple firewalls can receive the group mapping information from the cache on a single User-ID agent instead of each firewall having to query the server directly.
    Use for NTLM Authentication Select this option if you want the firewall to use this User-ID agent as a proxy for performing NT LAN Manager (NTLM) authentication when a client web request matches a Captive Portal rule. The User-ID agent collects user mapping information from the domain controller and forwards it to the firewall. To use this option, you must also Enable NTLM Authentication on the User-ID agent. This option is useful in deployments where the firewall cannot directly access the domain controller to perform NTLM authentication. It is also useful in deployments that benefit from reducing the number of authentication requests the domain controller must process; multiple firewalls can receive the user mapping information from the cache on a single User-ID agent instead of each firewall directly querying the domain controller.
    Enabled Select this option to enable the firewall to communicate with the User-ID agent.
    Previous
    Next

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo