Perform the following tasks for managing connections from the firewall to User-ID agents.
Display information / Refresh Connected
Device > User Identification > User-ID Agents
page to see whether the firewall is Connected to each User-ID agent. The Connected column displays a green icon to indicate a successful connection, a yellow icon to indicate a disabled connection, and a red icon to indicate a failed connection. If you think the connection status might have changed since you first opened the page, click
to update the status display.
For the other fields that this page displays, see
Configure Access to User-ID Agents.
To remove the configuration that enables the firewall to connect to a User-ID agent, select the agent and click
To disable access to a User-ID agent without deleting its configuration, edit it and clear
Custom Agent Sequence
If you enable User-ID agents to perform NT LAN Manager (NTLM) authentication
on behalf of the firewall, then by default the firewall communicates with the agents in the order you add them, from top to bottom (see the
Use for NTLM Authentication
Configure Access to User-ID Agents). To change the order, click
Custom Agent Sequence,
each agent, click
to reposition the agents, and click
Configure Access to User-ID Agents
To configure the firewall to access a User-ID agent, click
and complete the following fields.
User-ID Agent Setting
Enter a name (up to 31 characters) to identify the User-ID agent. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
For a firewall serving as a User-ID agent for user mapping redistribution, this field does not have to match the
Collector Name field.
Windows-based User-ID agent—Enter the IP address of the Windows host on which the User-ID agent is installed.
Firewall User-ID agent—Enter the hostname or IP address of the interface (service route) on the firewall that serves as a User-ID agent to redistribute user mappings to the firewall you are logged into. For details on service routes, see
Device > Setup > Services.
Enter the port number on which the User-ID agent will listen for User-ID requests. The default is 5007 but you can specify any available port. Different User-ID agents can use different ports.
Some earlier versions of the User-ID agent use 2010 as the default port.
These fields apply only if the User-ID agent is another firewall that redistributes user mappings to the firewall you are logged into. Enter the
that are configured on the User-ID agent (see
Enable Redistribution of User Mappings Among Firewalls). The firewall you are logged into uses the key to establish an SSL connection with the User-ID agent.
Select this option if you want the firewall to use this User-ID agent as a proxy for collecting group mapping information from a directory server. To use this option, you must also configure group mapping on the firewall (see
Device > User Identification > Group Mapping Settings). The firewall pushes that configuration to the User-ID agent to enable it to collect the mapping information.
This option is useful in deployments where the firewall cannot directly access the directory server. It is also useful in deployments that benefit from reducing the number of queries the directory server must process; multiple firewalls can receive the group mapping information from the cache on a single User-ID agent instead of each firewall having to query the server directly.
Use for NTLM Authentication
Select this option if you want the firewall to use this User-ID agent as a proxy for performing NT LAN Manager (NTLM) authentication
when a client web request matches a Captive Portal rule. The User-ID agent collects user mapping information from the domain controller and forwards it to the firewall. To use this option, you must also
Enable NTLM Authentication on the User-ID agent.
This option is useful in deployments where the firewall cannot directly access the domain controller to perform NTLM authentication. It is also useful in deployments that benefit from reducing the number of authentication requests the domain controller must process; multiple firewalls can receive the user mapping information from the cache on a single User-ID agent instead of each firewall directly querying the domain controller.
Select this option to enable the firewall to communicate with the User-ID agent.
Configure Firewalls to Redistribute User Mapping Information
Configure Firewalls to Redistribute User Mapping Information Every firewall that enforces user-based policy requires user mapping information. However, a large-scale network where numerous firewalls directly ...
Map IP Addresses to Users
Map IP Addresses to Users User-ID provides many different methods for mapping IP addresses to usernames. Before you begin configuring user mapping, consider where your ...
Device > User Identification > User Mapping
Device > User Identification > User Mapping Configure the PAN-OS integrated User-ID agent that runs on the firewall to collect user mapping information. What do ...
Configure User Mapping Using the Windows User-ID Agent
Configure User Mapping Using the Windows User-ID Agent In most cases, the majority of your network users will have logins to your monitored domain services. ...
Enable User-ID The user identity, as opposed to an IP address, is an integral component of an effective security infrastructure. Knowing who is using each ...
User Identification Device > User Identification User Identification (User-ID™) is a Palo Alto Networks® next-generation firewall feature that seamlessly integrates with a range of enterprise ...
User-ID Redistribution Enhancement
User-ID Redistribution Enhancement You can now relay user mapping information from one firewall to another in a sequence of up to ten firewalls instead of ...
Limitations The following table includes limitations associated with PAN-OS® 7.1 releases. Issue ID Description PAN-76757 If the firewall collects IP address-to-username mappings by monitoring numerous ...
Deploy User-ID in a Large-Scale Network
Deploy User-ID in a Large-Scale Network A large-scale network can have hundreds of information sources that firewalls query to map IP addresses to usernames and ...
Deploy User-ID for Numerous Mapping Information Sources
Deploy User-ID for Numerous Mapping Information Sources You can use Windows Log Forwarding and Global Catalog servers to simplify user mapping and group mapping in ...