Configure the PAN-OS integrated User-ID agent that runs on the firewall to collect user mapping information.
What do you want to know? See:
Configure the User-ID agent. These settings define the methods that the User-ID agent uses to perform user mapping. Enable the User-ID agent to monitor server logs for user mapping information: Enable Server Monitoring. Ensure that the firewall has the most current user mapping information as users roam and obtain new IP addresses: Configure Cache Timeouts for User Mapping Entries. Enable NT LAN Manager (NTLM) authentication for user mapping through Captive Portal: Enable NTLM Authentication. Enable firewalls to share user and group mapping information to simplify User-ID management: Enable Redistribution of User Mappings Among Firewalls. Configure the User-ID agent to parse syslog messages for user mapping information: Manage Syslog Message Filters. Configure the User-ID agent to omit specific usernames from the mapping process: Manage the User Ignore List. Enable the User-ID agent to use Windows Management Instrumentation (WMI) to probe client systems and monitoring servers for user mapping information: Enable WMI Authentication. Enable the User-ID agent to probe client systems for user mapping information: Enable Client Probing.
Manage access to the servers that the User-ID agent monitors for user mapping information. Monitor Servers
Manage the subnetworks that the firewall includes or excludes when collecting user mapping information. Define Subnetworks to Include/Exclude for User Mapping
Looking for more? Configure User Mapping Using the PAN-OS Integrated User-ID Agent
Enable WMI Authentication
To configure the PAN-OS integrated User-ID agent to use Windows Management Instrumentation (WMI) for probing client systems and monitoring Microsoft Exchange servers and domain controllers for user mapping information, complete the following fields.
 Because WMI probing trusts data reported back from the endpoint, it is not a recommended method of obtaining User-ID information in a high-security network. If you are using the User-ID agent to parse AD security event logs, syslog messages, or the XML API to obtain User-ID mappings, Palo Alto Networks recommends disabling WMI probing. If you do choose to use WMI probing, do not enable it on external, untrusted interfaces, as this would cause the agent to send WMI probes containing sensitive information such as the username, domain name, and password hash of the User-ID agent service account outside of your network. This information could potentially be exploited by an attacker to penetrate the network to gain further access.
WMI Authentication Setting Description
User Name Enter the domain credentials ( User Name and Password) for the account that the firewall will use to access Windows resources. The account requires permissions to perform WMI queries on client computers and to monitor Exchange servers and domain controllers. Use domain\username syntax for the User Name.
 The complete procedure to configure the PAN-OS integrated User-ID agent to monitor servers and probe clients requires additional tasks.
Enable Client Probing
You can configure the User-ID agent to perform WMI client probing for each client system that the user mapping process identifies. The User-ID agent will periodically probe each learned IP address to verify that the same user is still logged in. When the firewall encounters an IP address for which it has no user mapping, it sends the address to the User-ID agent for an immediate probe. To configure client probing settings, complete the following fields.
 The complete procedure to configure the PAN-OS integrated User-ID agent to probe clients requires additional tasks. The PAN-OS Integrated User-ID agent doesn’t support NetBIOS probing, but the Windows-based User-ID agent does.
Client Probing Setting Description
Enable Probing Select this option to enable WMI probing Do not enable client probing on high-security networks. Client probing can generate a large amount of network traffic and can pose a security threat when misconfigured. Instead collect user mapping information from more isolated and trusted sources, such as domain controllers and through integrations with Syslog or the XML API, which have the added benefit of allowing you to safely capture user mapping information from any device type or operating system, instead of just Windows clients.
Probe Interval (min) Enter the probe interval in minutes (range is 1-1440; default is 20). This is the interval between when the firewall finishes processing the last request and when it starts the next request. In large deployments, it is important to set the interval properly to allow time to probe each client that the user mapping process identified. Example, if you have 6,000 users and an interval of 10 minutes, it would require 10 WMI requests per second from each client. If the probe request load is high, the observed delay between requests might significantly exceed the interval you specify.
Enable Server Monitoring
To enable the User-ID agent to collect user mapping information by monitoring the security event logs of servers for logon events, complete the following fields.
 If the query load is high for Windows server logs, Windows server sessions, or eDirectory servers, the observed delay between queries might significantly exceed the specified frequency or interval. The complete procedure to configure the PAN-OS integrated User-ID agent to monitor servers and probe clients requires additional tasks.
Server Monitoring Setting Description
Enable Security Log Select this option to enable security log monitoring on Windows servers.
Server Log Monitor Frequency (sec) Specify the frequency in seconds at which the firewall will query Windows server security logs for user mapping information (range is 1-3600; default is 2). This is the interval between when the firewall finishes processing the last query and
Enable Session Select this option to enable monitoring of user sessions on the monitored servers. Each time a user connects to a server, a session is created; the firewall can use this information to identify the user IP address. Do not select the Enable Session check box. This setting requires that the User-ID agent have an Active Directory account with Server Operator privileges so that it can read all user sessions. Instead, use a Syslog or XML API integration to monitor sources that capture login and logout events for all device types and operating systems (instead of just Windows), such as wireless controllers and NACs.
Server Session Read Frequency (sec) Specify the frequency in seconds at which the firewall will query Windows server user sessions for user mapping information (range is 1-3600; default is 10). This is the interval between when the firewall finishes processing the last query and when it starts the next query.
Novell eDirectory Query Interval (sec) Specify the frequency in seconds at which the firewall will query Novell eDirectory servers for user mapping information (range is 1-3600; default is 30). This is the interval between when the firewall finishes processing the last query and when it starts the next query.
Syslog Service Profile Select an SSL/TLS service profile that specifies the certificate and allowed SSL/TLS versions for communications between the firewall and any syslog senders that the User-ID agent monitors. For details, see Device > Certificate Management > SSL/TLS Service Profile and Manage Syslog Message Filters. If you select None, the firewall uses its predefined, self-signed certificate.
Configure Cache Timeouts for User Mapping Entries
To ensure that the firewall has the most current user mapping information as users roam and obtain new IP addresses, configure timeouts for clearing user mapping entries from the firewall cache.
Cache Setting Description
Enable User Identification Timeout Select this option to enable a timeout value for user mapping entries. When the timeout value is reached for an entry, the firewall clears it and collects a new mapping. This ensures that the firewall has the most current information as users roam and obtain new IP addresses.
User Identification Timeout (min) Set the timeout value in minutes for user mapping entries (range is 1–3,600; default is 45). If you configure firewalls to redistribute mapping information, each firewall clears the mapping entries it receives based on the timeout you set on that firewall, not on the timeouts set in the forwarding firewalls.
Enable NTLM Authentication
When a client web request matches a Captive Portal rule with an action set to browser-challenge (see Policies > Captive Portal), an NT LAN Manager (NTLM) challenge transparently authenticates the client. The firewall then collects user mapping information from the NTLM domain.
 As a best practice, choose Kerberos SSO transparent authentication over NTLM authentication when configuring Captive Portal. Kerberos is a stronger, more robust authentication method than NTLM and it does not require the firewall to have an administrative account to join the domain.
You can enable NTLM authentication processing for only one virtual system per firewall, which you select in the Location drop-down at the top of the User Mapping page.
Optionally, you can use the firewall to perform NTLM authentication processing for other firewalls by adding it as a User-ID agent to those firewalls. For details, see Configure Access to User-ID Agents.
If you use the Windows-based User-ID agent, NTLM responses go directly to the domain controller where you installed the agent. For details, see the NTLM Authentication field in Device > User Identification > Captive Portal Settings.
 The complete procedures to configure Captive Portal or Windows-based User-ID agents require additional tasks.
To configure NTLM authentication processing, complete the following fields.
Field Description
Enable NTLM authentication processing Select this option to enable NTLM authentication processing.
NTLM Domain Enter the NTLM domain name.
Admin User Name (for the NTLM domain) Enter the administrator account that has access to the NTLM domain. Do not include the domain in the Admin User Name field. Otherwise, the firewall will fail to join the domain.
Enable Redistribution of User Mappings Among Firewalls
To enable the firewall you are logged into to function as a User-ID agent for redistributing user mapping information to other firewalls, complete the following fields.
 The complete procedure to configure firewalls to redistribute user mapping information requires additional tasks. By default, virtual systems on the same firewall don’t share user mapping information, though you can configure them for redistribution.
Redistribution Setting Description
Collector Name Enter a collector name (up to 255 alphanumeric characters) that identifies the firewall as a User-ID agent for redistributing mapping information.
Pre-Shared Key/Confirm Pre-Shared Key Enter the pre-shared key (up to 255 alphanumeric characters) that other firewalls will use to establish a secure connection with this firewall to receive user mapping information.
Manage Syslog Message Filters
The User-ID agent uses Syslog Parse profiles to filter syslog messages for user mapping information. You can create separate profiles for messages from different syslog senders. For a User-ID agent to parse syslog messages, they must meet the following criteria:
Each message must be a single-line text string. A new line (\n) or a carriage return plus a new line (\r\n) are the delimiters for line breaks. The maximum size for individual messages is 2,048 bytes. Messages sent over UDP must be contained in a single packet; messages sent over SSL can span multiple packets. A single packet might contain multiple messages.
Palo Alto Networks provides predefined Syslog Parse profiles through Applications content updates . On a firewall with multiple virtual systems, the predefined profiles are global, whereas custom profiles apply only to a single virtual system.
To configure a custom profile, click Add and specify the settings described in the following table. The field descriptions in this table use a login event example from a syslog message with the following format:
[Tue Jul 5 13:15:04 2005 CDT] Administrator authentication success User:domain\johndoe_4 Source:192.168.0.212
 The complete procedure to configure the User-ID agent to collect user mapping information from a syslog sender requires additional tasks. If a firewall has predefined profiles that resemble those you want the User-ID agent to use, you can copy the profile settings. To access existing profiles, select Device > User Identification > User Mapping, edit the Palo Alto Networks User-ID Agent Setup section, select Syslog Filters, and click the name of the Syslog Parse profile that you want to copy.
Field Description
Syslog Parse Profile Enter a name for the profile (up to 63 alphanumeric characters).
Description Enter a description for the profile (up to 255 alphanumeric characters).
Type Specify the type of parsing to identify successful authentication events: Regex Identifier —Use the Event Regex, Username Regex, and Address Regex fields to specify regular expressions (regex) that describe search patterns for identifying and extracting user mapping information from syslog messages. The firewall will use the regex to match authentication events in syslog messages and to match the username and IP address fields within the matching messages. Field Identifier —Use the Event String, Username Prefix, Username Delimiter, Address Prefix, and Address Delimiter fields to specify strings for matching the authentication event and for identifying the user mapping information in syslog messages. The remaining fields in the dialog vary based on your selection. Configure the fields for the desired type as described in the following rows.
Event Regex Enter the regex to match successful authentication events. For the sample message, the regex (authentication\ success){1} extracts the first {1} instance of the string authentication success . The backslash before the space is a standard regex escape character that instructs the regex engine not to treat the space as a special character.
Username Regex Enter the regex to identify the start of the username in authentication success messages. In the sample message, the regex User:([a-zA-Z0-9\\\._]+) matches the string User:johndoe_4 and extracts domain\johndoe_4 as the username.
Address Regex Enter the regex to identify the IP address portion of authentication success messages. In the sample message, the regular expression Source:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) matches the IPv4 address Source:192.168.0.212 and adds 192.168.0.212 as the IP address in the username mapping.
Event String Enter a matching string to identify successful authentication events in syslog messages. For the sample message, you would enter the string authentication success .
Username Prefix Enter a matching string to identify the start of the username field in syslog messages. The field does not support regex expressions such as /s (for a space) or /t (for a tab). In the sample message, User: identifies the start of the username field.
Username Delimiter Enter the delimiter that indicates the end of the username field in syslog messages. Use \s to indicate a standalone space (as in the sample message) and \t to indicate a tab.
Address Prefix Enter a matching string to identify the start of the IP address field in syslog messages. The field does not support regex expressions such as /s (for a space) or /t (for a tab). In the sample message, Source: identifies the start of the address field.
Address Delimiter Enter the delimiter that indicates the end of the IP address field in syslog messages. For example, enter \n to indicate the delimiter is a line break.
Manage the User Ignore List
The ignore user list defines which user accounts don’t require IP address-to-username mapping (for example, kiosk accounts). To configure the list, click Add and enter a username. You can use an asterisk as a wildcard character to match multiple usernames but only as the last character in the entry. For example, corpdomain\it-admin*  matches all administrators in the corpdomain  domain whose usernames start with the string it-admin . You can add up to 5,000 entries to exclude from user mapping.
Monitor Servers
Use the Server Monitoring section to define the Microsoft Exchange Servers, Active Directory (AD) domain controllers, Novell eDirectory servers, or syslog senders that the User-ID agent monitors for login events.
Perform the following tasks in the Server Monitoring section to manage access to the servers that the User-ID agent monitors for user mapping information.
Display server information For each monitored server, the User Mapping page displays the Status of the connection from the User-ID agent to the server. After you Add a server, the firewall tries to connect to it. If it succeeds, the Server Monitoring section displays Connected in the Status column. If the firewall cannot connect, the Status column displays an error condition, such as Connection refused or Connection timeout. For details on the other fields that the Server Monitoring section displays, see Configure Access to Monitored Servers.
Delete To remove a server from the user mapping process (discovery), select the server and Delete it. To remove a server from discovery without deleting its configuration, edit the server entry and clear Enabled.
Discover You can automatically Discover Microsoft Active Directory domain controllers using DNS. The firewall will discover domain controllers based on the domain name entered in the Device > Setup > Management page, General Settings section, Domain field. After discovering a domain controller, the firewall creates an entry for it in the Server Monitoring list; you can then enable the server for monitoring. The Discover feature works for domain controllers only, not Exchange servers or eDirectory servers.
Use the Server Monitoring section to Add up to 100 servers for the firewall to monitor.
 The complete procedure to configure the PAN-OS integrated User-ID agent to monitor servers requires additional tasks.
Server Monitoring Setting Description
Name Enter a name for the server.
Description Enter a description of the server.
Enabled Select this option to enable log monitoring for this server.
Type Select the server type. Your selection determines which other fields this dialog displays.
Network Address If the server Type is Microsoft Active Directory, Microsoft Exchange, or Syslog Sender, enter the server IP address or FQDN.
Server Profile If the server Type is Novell eDirectory, select an LDAP server profile for connecting to the Novell eDirectory server. For details, see Device > Server Profiles > LDAP.
Connection Type If the server Type is Syslog Sender, select whether the User-ID agent will listen for syslog messages on the UDP port (514) or the SSL port (6514). If you select SSL, the Syslog Service Profile selected in the Enable Server Monitoring settings determines the SSL/TLS versions that are allowed and the certificate that the firewall uses to connect to the syslog sender.
Filter If the server Type is Syslog Sender, select a Syslog Parse profile to use for extracting usernames and IP addresses from the syslog messages received from this server. You create the profiles when configuring Manage Syslog Message Filters.
Default Domain Name (Optional) If the server Type is Syslog Sender, enter a domain name to prepend to the username if the log entry has no domain name.
Define Subnetworks to Include/Exclude for User Mapping
Use the Include/Exclude Networks list to configure the rules that define which subnetworks the User-ID agent will include or exclude when collecting IP address-to-username mappings. By default, if the list is empty, the User-ID agent collects mappings for user identification sources in all subnetworks using any collection method that you configured. The exception is when using the WMI probing method for client systems that have public IPv4 addresses. (Public IPv4 addresses are those outside the scope of RFC 1918 and RFC 3927).To enable WMI probing for public IPv4 addresses, you must configure Include rules for the subnetworks where those addresses reside.
The User-ID agent applies an implicit exclude all rule to the list. For example, if you add an Include rule for subnetwork 10.0.0.0/8, the User-ID agent excludes all other subnetworks even if you don’t add Exclude rules for them. Add Exclude rules only if you want the User-ID agent to exclude a subset of the subnetworks specified in an Include rule. For example, if you add an Exclude rule for 10.2.48.0/22 and add an Include rule for 10.0.0.0/8, the User-ID agent will collect mappings from all the subnetworks of 10.0.0.0/8 except 10.2.48.0/22, and will exclude all subnetworks outside of 10.0.0.0/8. If you add Exclude rules without adding any Include rules, the User-ID agent excludes all subnetworks, not just the ones you added.
By default, when determining whether to collect user mapping information for a particular user identification source, the User-ID agent evaluates the rules from top to bottom in the order that the Include/Exclude Networks list displays them. The User-ID agent includes or excludes the source based only on the first rule that matches that source to a subnetwork; the agent does not evaluate any subsequent rules. This means you must list the rules from top to bottom in the order of most to least restrictive. For example, because the 10.2.48.0/22 subnetwork is a subset of the 10.0.0.0/8 subnetwork, you would add an Exclude rule for 10.2.48.0/22 above an Include rule for 10.0.0.0/8 to ensure that the User-ID agent skips mapping collection for any 10.2.48.0/22 sources. If you need to change the evaluation order after adding rules, you can create a Custom Include/Exclude Network Sequence.
If you configure the firewall to redistribute user mapping information to other firewalls, the limits you specify in the Include/Exclude Networks list will apply to the redistributed information.
You can perform the following tasks on the Include/Exclude Networks list: