The user identity, as opposed to an IP address, is an integral component of an effective security infrastructure. Knowing who is using each of the applications on your network, and who may have transmitted a threat or is transferring files, can strengthen your security policy and reduce incident response times. User-ID enables you to leverage user information stored in a wide range of repositories for visibility, user- and group-based policy control, and improved logging, reporting, and forensics:
- Enable User-ID on the source zones that contain the users who will send requests that require user-based access controls.Enable User-ID on trusted zones only. If you enable User-ID and client probing on an external untrusted zone (such as the internet), probes could be sent outside your protected network, resulting in an information disclosure of the User-ID agent service account name, domain name, and encrypted password hash, which could allow an attacker to gain unauthorized access to protected services and applications.
- Selectand click the Name of the zone.NetworkZones
- Enable User Identificationand clickOK.
- As a best practice, create a service account with the minimum set of permissions required to support the User-ID options you enable to reduce your attack surface in the event that the service account is compromised.This is required if you plan to use the Windows-based User-ID agent or the PAN-OS integrated User-ID agent to monitor domain controllers, Microsoft Exchange servers, or Windows clients for user login and logout events.
- As a best practice, do not enable client probing as a user mapping method on high-security networks. Client probing can generate a large amount of network traffic and can pose a security threat when misconfigured.The way you do this depends on where your users are located and what types of systems they are using, and what systems on your network are collecting login and logout events for your users. You must configure one or more User-ID agents to enable User Mapping:
- Specify the networks to include and exclude from user mapping.As a best practice, always specify which networks to include and exclude from User-ID. This allows you to ensure that only your trusted assets are probed and that unwanted user mappings are not created unexpectedly.
- Configure Authentication Policy and Captive Portal.The firewall uses Captive Portal to authenticate end users when they request services, applications, or URL categories that match Authentication Policy rules. Based on user information collected during authentication, the firewall creates new user mappings or updates existing mappings. The mapping information collected during authentication overrides information collected through other User-ID methods.
- Enable user- and group-based policy enforcement.Create rules based on group rather than user whenever possible. This prevents you from having to continually update your rules (which requires a commit) whenever your user base changes.After configuring User-ID, you will be able to choose a username or group name when defining the source or destination of a security rule:
- SelectandPoliciesSecurityAdda new rule or click an existing rule name to edit.
- SelectUserand specify which users and groups to match in the rule in one of the following ways:
- If you want to select specific users or groups as matching criteria, clickAddin the Source User section to display a list of users and groups discovered by the firewall group mapping function. Select the users or groups to add to the rule.
- If you want to match any user who has or has not authenticated and you don’t need to know the specific user or group name, selectknown-userorunknownfrom the drop-down above the Source User list.
- Configure the rest of the rule as appropriate and then clickOKto save it. For details on other fields in the security rule, see Set Up a Basic Security Policy.
- Create the Security policy rules to safely enable User-ID within your trusted zones and prevent User-ID traffic from egressing your network.Follow the Security policy best practices to ensure that the User-ID application (paloalto-userid-agent) is only allowed in the zones where your agents (both your Windows agents and your PAN-OS integrated agents) are monitoring services and distributing mappings to firewalls. Specifically:
- Allow the paloalto-userid-agent application between the zones where your agents reside and the zones where the monitored servers reside (or even better, between the specific systems that host the agent and the monitored servers).
- Allow the paloalto-userid-agent application between the agents and the firewalls that need the user mappings and between firewalls that are redistributing user mappings and the firewalls they are redistributing the information to.
- Deny the paloalto-userid-agent application to any external zone, such as your internet zone.
- Configure the firewall to obtain user IP addresses from X-Forwarded-For (XFF) headers.When the firewall is between the Internet and a proxy server, the IP addresses in the packets that the firewall sees are for the proxy server rather than users. To enable visibility of user IP addresses instead, configure the firewall to use the XFF headers for user mapping. With this option enabled, the firewall matches the IP addresses with usernames referenced in policy to enable control and visibility for the associated users and groups. For details, see Identify Users Connected through a Proxy Server.
- Selectand edit the X-Forwarded-For Headers settings.DeviceSetupContent-ID
- SelectX-Forwarded-For Header in User-ID.SelectingStrip-X-Forwarded-For Headerdoesn’t disable the use of XFF headers for user attribution in policy rules; the firewall zeroes out the XFF value only after using it for user attribution.
- ClickOKto save your changes.
- Commit your changes.Commityour changes to activate them.
- After you configure user mapping and group mapping, verify that the configuration works properly and that you can safely enable and monitor user and group access to your applications and services.
Device > User Identification > User Mapping
Device > User Identification > User Mapping Configure the PAN-OS integrated User-ID agent that runs on the firewall to map IP addresses to usernames. What ...
Configure the Windows-Based User-ID Agent for User Mapping
Configure the Windows-Based User-ID Agent for User Mapping The Palo Alto Networks User-ID agent is a Windows service that connects to servers on your network—for ...
Map IP Addresses to Users
Map IP Addresses to Users User-ID provides many different methods for mapping IP addresses to usernames. Before you begin configuring user mapping, consider where your ...
Include or Exclude Subnetworks for User Mapping
Include or Exclude Subnetworks for User Mapping Device > User Identification > User Mapping Use the Include/Exclude Networks list to configure the rules that define ...
User Mapping Knowing user and groups names is only one piece of the puzzle. The firewall also needs to know which IP addresses map to ...
Ports Used for User-ID
Ports Used for User-ID User-ID is a feature that enables mapping of user IP addresses to usernames and group memberships, enabling user- or group-based policy ...
Building Blocks of Security Zones
Building Blocks of Security Zones To define a security zone, click Add and specify the following information. Security Zone Settings Description Name Enter a zone ...
Panorama and Log Collectors as User-ID Redistribution Points
Panorama and Log Collectors as User-ID Redistribution Points You can now leverage your Panorama and distributed log collection infrastructure to redistribute User-ID mappings in large-scale ...
Deploy User-ID in a Large-Scale Network
Deploy User-ID in a Large-Scale Network A large-scale network can have hundreds of information sources that firewalls query to map IP addresses to usernames and ...